Bug 1514842
Summary: | Keystone Admin API on external Network down after upgrading to OSP10z6 | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Siggy Sigwald <ssigwald> |
Component: | puppet-tripleo | Assignee: | Juan Antonio Osorio <josorior> |
Status: | CLOSED ERRATA | QA Contact: | Pavan <pkesavar> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 10.0 (Newton) | CC: | akaris, alee, aschultz, dvd, hrybacki, jdennis, jjoyce, josorior, jschluet, jzaher, kbasil, pablo.iranzo, slinaber, ssigwald, tvignaud |
Target Milestone: | z8 | Keywords: | Reopened, Triaged, ZStream |
Target Release: | 10.0 (Newton) | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | puppet-tripleo-5.6.8-1.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-05-17 15:40:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 3
Pablo Iranzo Gómez
2017-11-28 09:07:45 UTC
It makes sense from a security standpoint to eliminate the non-ssl endpoint. If you really need the non-ssl endpoint, workarounds are provided here: https://access.redhat.com/solutions/2943481 Or in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1514244 Closing as NOTABUG. Please feel free to reopen if needed. If you switch to using keystone v3 you won't need the admin endpoint to be exposed in the external network and you could just use the public one. Is there a specific reason why you need the admin endpoint exposed? If you REALLY need it in the external network you could configure it via the ServiceNetMap. The previous exposing of the admin endpoint was more a bug than a feature. If you really need the admin network exposed externally, we can see if we can configure the ServiceNetMap to match your desired config. Please confirm that you really need the admin endpoint exposed in the external network. The double endpoint for the keystone admin interface was removed in an effort increase security by locking down the overcloud. It is also not needed when using keystone v3, as one can also use the public keystone endpoint (which uses TLS). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1593 |