yahoo-eng-team team mailing list archive

[Lance Bragstad <lbragstad@xxxxxxxxx>]

That configuration options acts as a hard coded value for public
endpoint [0]. If left unset - the service will generate the endpoint
from the request environment [1]. Try unsetting public_endpoint if you
can and see if that helps your internal clients. External clients using
the public endpoint should have the same experience since they are using
port 5000 for requests.

Let me know if that helps.

[0] https://github.com/openstack/keystone/blob/025e844fc485c23be1de033473f3cadd7486b642/keystone/conf/default.py#L43-L49
[1] https://github.com/openstack/keystone/blob/025e844fc485c23be1de033473f3cadd7486b642/keystone/common/wsgi.py#L330-L337

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1661503

Title:
  If public_endpoint is set, the first call will be always public
  endpoint

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  I have setup a keystone service(Mitaka) on ubuntu,
  and it seems that the first call will always be to keystone's public api url,
  when you have set "public_endpoint" in keystone.conf.

  For example, when I do the following openstack commands, I always get
  the following error.

  $ubuntu@client:~$ openstack token issue
  Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens

  The keystone's endpoint are like this:
  public:   http://10.12.2.2:5000/fuga/v3 
  admin:    http://10.12.1.2:35357/fuga/v3
  internal: http://10.12.3.2:5000/fuga/v3 

  openstack client is installed in a client node, which is seperate to keystone node,
  and this client node has no network access to public api network.
  So if accessing to public api, this is expected, but I have set the env variables like this,

  ubuntu@client:~$ env | grep OS_
  OS_USER_DOMAIN_NAME=default
  OS_PROJECT_NAME=admin
  OS_IDENTITY_API_VERSION=3
  OS_PASSWORD=openstack
  OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3
  OS_USERNAME=admin
  OS_INTERFACE=admin
  OS_PROJECT_DOMAIN_NAME=default

  Therefore, my expectation is that api access goes only through admin url.
  I have tried also with internal api url, but get the same error.

  And of course if the client node has public api network access, the openstack client worked perfectly.
  Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.

  According to this:
  https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160
  "public" string is given, and here:
  https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372
  the string is being combined with "_endpoint", which will become "public_endpoint",
  and if the url is set, this public url will be the initial access.

  
  I have attached some info,
  - /etc/keystone/keystone.conf
  - /etc/apache2/sites-enabled/wsgi-keystone.conf
  - output with debug option

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1661503/+subscriptions