yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61181
[Bug 1661503] [NEW] If public_endpoint is set, the first call will be always public endpoint
Public bug reported:
I have setup a keystone service(Mitaka) on ubuntu,
and it seems that the first call will always be to keystone's public api url,
when you have set "public_endpoint" in keystone.conf.
For example, when I do the following openstack commands, I always get
the following error.
$ubuntu@client:~$ openstack token issue
Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens
The keystone's endpoint are like this:
public: http://10.12.2.2:5000/fuga/v3
admin: http://10.12.1.2:35357/fuga/v3
internal: http://10.12.3.2:5000/fuga/v3
openstack client is installed in a client node, which is seperate to keystone node,
and this client node has no network access to public api network.
So if accessing to public api, this is expected, but I have set the env variables like this,
ubuntu@client:~$ env | grep OS_
OS_USER_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=openstack
OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
OS_USERNAME=admin
OS_INTERFACE=admin
OS_PROJECT_DOMAIN_NAME=default
Therefore, my expectation is that api access goes only through admin url.
I have tried also with internal api url, but get the same error.
And of course if the client node has public api network access, the openstack client worked perfectly.
Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.
According to this:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
"public" string is given, and here:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
the string is being combined with "_endpoint", which will become "public_endpoint",
and if the url is set, this public url will be the initial access.
I have attached some info,
- /etc/keystone/keystone.conf
- /etc/apache2/sites-enabled/wsgi-keystone.conf
- output with debug option
** Affects: keystone
Importance: Undecided
Status: New
** Attachment added: "debugoutput-openstackclient.txt"
https://bugs.launchpad.net/bugs/1661503/+attachment/4812390/+files/debugoutput-openstackclient.txt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1661503
Title:
If public_endpoint is set, the first call will be always public
endpoint
Status in OpenStack Identity (keystone):
New
Bug description:
I have setup a keystone service(Mitaka) on ubuntu,
and it seems that the first call will always be to keystone's public api url,
when you have set "public_endpoint" in keystone.conf.
For example, when I do the following openstack commands, I always get
the following error.
$ubuntu@client:~$ openstack token issue
Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens
The keystone's endpoint are like this:
public: http://10.12.2.2:5000/fuga/v3
admin: http://10.12.1.2:35357/fuga/v3
internal: http://10.12.3.2:5000/fuga/v3
openstack client is installed in a client node, which is seperate to keystone node,
and this client node has no network access to public api network.
So if accessing to public api, this is expected, but I have set the env variables like this,
ubuntu@client:~$ env | grep OS_
OS_USER_DOMAIN_NAME=default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=openstack
OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
OS_USERNAME=admin
OS_INTERFACE=admin
OS_PROJECT_DOMAIN_NAME=default
Therefore, my expectation is that api access goes only through admin url.
I have tried also with internal api url, but get the same error.
And of course if the client node has public api network access, the openstack client worked perfectly.
Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.
According to this:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
"public" string is given, and here:
https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
the string is being combined with "_endpoint", which will become "public_endpoint",
and if the url is set, this public url will be the initial access.
I have attached some info,
- /etc/keystone/keystone.conf
- /etc/apache2/sites-enabled/wsgi-keystone.conf
- output with debug option
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1661503/+subscriptions
Follow ups