Bug 1121256

Summary: Configuration file in share forces ignore of auth_uri
Product: [Community] RDO Reporter: Adam Young <ayoung>
Component: openstack-cinderAssignee: Eric Harney <eharney>
Status: CLOSED CURRENTRELEASE QA Contact: nlevinki <nlevinki>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: ayoung, chris.brown, eharney, lars, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1121259 (view as bug list) Environment:
Last Closed: 2017-06-18 06:08:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1121259    

Description Adam Young 2014-07-18 19:13:11 UTC 
Description of problem:

The systemd start script starts cinder api with:


ExecStart=/usr/bin/cinder-api --config-file /usr/share/cinder/cinder-dist.conf --config-file /etc/cinder/cinder.conf --logfile /var/log/cinder/api.log


And the /usr/share/cinder/cinder-dist.conf has 

[keystone_authtoken]
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http


This forced auth_tokem middleware to build its auth_uri out of components.

The recommended way to customize the auth_uri is to set it in the config file with a full url, example:

auth_uri = https://fqdn:port/v3

However, the end user cannot set this value in /etc/cinder/cinder.conf due to auth_token favoring the "compose by parts"

This shows up in the log file with:

WARNING keystoneclient.middleware.auth_token [-] Configuring admin URI using auth fragments. This is deprecated, use 'identity_uri' instead.


We should remove the whole /usr/share configuration file, and only have the portion in /etc.
Comment 1 Lars Kellogg-Stedman 2015-03-27 02:04:39 UTC 
Adam: you mentioned "auth_uri" in your report, but the error message references "identity_uri", which I think is something else.  Does this still need fixing? It looks like our current packages are still setting the auth_* fragments in /usr/share/cinder/cinder-dist.conf.
Comment 2 Adam Young 2015-07-23 17:38:07 UTC 
Lars, yes, the identity_uri is the preferred way of setting the value in the config file, instead of composing it out of its parts.

http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/_auth.py?id=1285fb2337bedc29482356cb8d6ad87efc26fc7f#n166

And, since this is more than just the auth_uri (just used to get a token) it is more correct to say identity_uri.
Comment 3 Christopher Brown 2017-06-17 19:18:47 UTC 
So I think this is sorted now?