Bug 1311165

Summary: Keystone API GET 5000/v3 returns wrong endpoint URL in response body
Product: Red Hat OpenStack Reporter: Adam Young <ayoung>
Component: openstack-tripleo-heat-templatesAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Rodrigo Duarte <rduartes>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: akrzos, ayoung, ealcaniz, jdennis, jjoyce, jschluet, k-akatsuka, mburns, molasaga, nkinder, rhel-osp-director-maint, srevivo
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 15:24:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1369066, 1368299    

Description Adam Young 2016-02-23 14:41:12 UTC
Description of problem:
When I was invoking a GET request to public endpoint of Keystone, I found the admin endpoint URL in response body, I assume it should be the public endpoint URL:
GET https://192.168.101.10:5000/v3

{
  "version": {
    "status": "stable",
    "updated": "2013-03-06T00:00:00Z",
    "media-types": [
      {
        "base": "application/json",
        "type": "application/vnd.openstack.identity-v3+json"
      },
      {
        "base": "application/xml",
        "type": "application/vnd.openstack.identity-v3+xml"
      }
    ],
    "id": "v3.0",
    "links": [
      {
        "href": "https://172.20.14.10:35357/v3/",
        "rel": "self"
      }
    ]
  }
}

===============================================================
Btw, I can get the right URL for public endpoint in the response body of the versionless API call:
GET https://192.168.101.10:5000

{
  "versions": {
    "values": [
      {
        "status": "stable",
        "updated": "2013-03-06T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v3+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v3+xml"
          }
        ],
        "id": "v3.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v3/",
            "rel": "self"
          }
        ]
      },
      {
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v2.0+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v2.0+xml"
          }
        ],
        "id": "v2.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v2.0/",
            "rel": "self"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/content/",
            "type": "text/html",
            "rel": "describedby"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf",
            "type": "application/pdf",
            "rel": "describedby"
          }
        ]
      }
    ]
  }
}

Comment 2 Adam Young 2016-02-23 15:47:54 UTC
Just tested backport of commit 40c3942c12d1dd2c826d836987616838a73a64a1  and it fixes the problem.  This will a deployer run Keystone on a port other than 5000/35357, which might be needed for firewall or network issues

Comment 5 Rodrigo Duarte 2016-06-30 16:09:12 UTC
verification failed for openstack-keystone-9.0.0-1.el7ost.noarch

calling using the public endpoint looks correct:

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

and also without version and with v2.0:

[stack@undercloud ~]$ curl http://10.0.0.101:5000 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}

unfortunately, calling using the admin endpoint, it returns the public endpoint:

[stack@undercloud ~]$ curl http://10.0.0.101:35357/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

although, without version and with v2.0, the results are correct:

[stack@undercloud ~]$ curl http://10.0.0.101:35357 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}



[stack@undercloud ~]$ curl http://10.0.0.101:35357/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}

Comment 7 Adam Young 2016-09-08 04:10:04 UTC
The root of the  issue is that public_endpoint is set in the config file, which forces the answer to a specific port.  If that value is unset, the controller uses the request to determine what port to fill in.

The value is set by Tripleo Heat templates in a Director deploy, such as:

/usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml:122:        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}

But even defaults to the server default, which comes from the Endpoint.  If the value is left unset, however, it appears that an install will fail.

It is possible that unsetting the value after deploy will be an effective work around.

Comment 8 Adam Young 2016-09-12 15:43:17 UTC
The following change seems to make it work.


$ diff  /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml.orig /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
122d121
<         keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}

Comment 9 Nathan Kinder 2016-09-22 19:51:30 UTC
*** Bug 1369881 has been marked as a duplicate of this bug. ***

Comment 11 Rodrigo Duarte 2016-10-04 03:03:46 UTC
verified for openstack-keystone-10.0.0-0.

following the same tests made above:

- public endpoint:

# curl http://192.0.2.1:5000  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:5000/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}

- admin endpoint:

# curl http://192.0.2.1:35357  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}



# curl http://192.0.2.1:35357/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}

Comment 13 Nathan Kinder 2016-11-04 17:20:24 UTC
*** Bug 1368299 has been marked as a duplicate of this bug. ***

Comment 14 Edu Alcaniz 2016-12-07 08:17:57 UTC
We need manual configuration change for OSP7

Comment 16 Adam Young 2016-12-08 14:13:55 UTC
Explicitly remove the configuration value.

in the file /etc/keystone/keystone.conf, comment out like this:

[DEFAULT]
#public_endpoint = <None>

Comment 18 errata-xmlrpc 2016-12-14 15:24:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html