| Summary: | Keystone API GET 5000/v3 returns wrong endpoint URL in response body | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Adam Young <ayoung> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Adam Young <ayoung> |
| Status: | CLOSED ERRATA | QA Contact: | Rodrigo Duarte <rduartes> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 (Kilo) | CC: | akrzos, ayoung, ealcaniz, jdennis, jjoyce, jschluet, k-akatsuka, mburns, molasaga, nkinder, rhel-osp-director-maint, srevivo |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-14 15:24:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1368299, 1369066 | ||
|
Description
Adam Young
2016-02-23 14:41:12 UTC
Just tested backport of commit 40c3942c12d1dd2c826d836987616838a73a64a1 and it fixes the problem. This will a deployer run Keystone on a port other than 5000/35357, which might be needed for firewall or network issues verification failed for openstack-keystone-9.0.0-1.el7ost.noarch calling using the public endpoint looks correct: [stack@undercloud ~]$ curl http://10.0.0.101:5000/v3 | python -m json.tool { "version": { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" } } and also without version and with v2.0: [stack@undercloud ~]$ curl http://10.0.0.101:5000 | python -m json.tool { "versions": { "values": [ { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } ] } } [stack@undercloud ~]$ curl http://10.0.0.101:5000/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } } unfortunately, calling using the admin endpoint, it returns the public endpoint: [stack@undercloud ~]$ curl http://10.0.0.101:35357/v3 | python -m json.tool { "version": { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" } } although, without version and with v2.0, the results are correct: [stack@undercloud ~]$ curl http://10.0.0.101:35357 | python -m json.tool { "versions": { "values": [ { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } ] } } [stack@undercloud ~]$ curl http://10.0.0.101:35357/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } } The root of the issue is that public_endpoint is set in the config file, which forces the answer to a specific port. If that value is unset, the controller uses the request to determine what port to fill in.
The value is set by Tripleo Heat templates in a Director deploy, such as:
/usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml:122: keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
But even defaults to the server default, which comes from the Endpoint. If the value is left unset, however, it appears that an install will fail.
It is possible that unsetting the value after deploy will be an effective work around.
The following change seems to make it work.
$ diff /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml.orig /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
122d121
< keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
*** Bug 1369881 has been marked as a duplicate of this bug. *** verified for openstack-keystone-10.0.0-0. following the same tests made above: - public endpoint: # curl http://192.0.2.1:5000 | python -m json.tool { "versions": { "values": [ { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } ] } } # curl http://192.0.2.1:5000/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } } # curl http://192.0.2.1:35357/v3 | python -m json.tool { "version": { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" } } - admin endpoint: # curl http://192.0.2.1:35357 | python -m json.tool { "versions": { "values": [ { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } ] } } # curl http://192.0.2.1:35357/v3 | python -m json.tool { "version": { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" } } # curl http://192.0.2.1:35357/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } } *** Bug 1368299 has been marked as a duplicate of this bug. *** We need manual configuration change for OSP7 Explicitly remove the configuration value. in the file /etc/keystone/keystone.conf, comment out like this: [DEFAULT] #public_endpoint = <None> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html |