Bug 970098

Summary: Keystone API v3 lists disabled endpoints and services in catalog
Product: Red Hat OpenStack Reporter: Pavel Sedlák <psedlak>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0CC: ayoung, breeler, jagee, jkt, kbanerje, nkinder, ukalifon
Target Milestone: rcKeywords: Triaged
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2014.1-4.el7ost Doc Type: Enhancement
Doc Text:
Previously, the service catalog used to return all endpoints, regardless of status. This meant that disabled endpoints were displayed as well. Now, only enabled endpoints are returned by default.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 15:23:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pavel Sedlák 2013-06-03 13:06:04 UTC 
Description of problem:
When endpoint or service has "enabled" attribute set to "False", it is still listed in catalog (`keystone catalog` command and/or in catalog part of token.

Create testing service (simplifies output later):
> localhost:5000
> POST /v3/services
> '{"service":{"name":"My svc","type":"testing"}}'
response:
> {'service': {'id': '<SERVICE-ID>',
>              'links': {'self': 'http://localhost:5000/v3/services/<SERVICE-ID>'},
>              'name': 'My svc',
>              'type': 'testing'}}

Create disabled endpoint:
> localhost:5000
> POST /v3/endpoints
> '{"endpoint":{
>    "enabled":false,
>    "name":"My disabled",
>    "interface":"public",
>    "url":"disabled_URL",
>    "service_id":"<SERVICE-ID>"}}'
response:
> {'endpoint': {'enabled': False,
>               'id': '<ENDPOINT-ID>',
>               'interface': 'public',
>               'links': {'self': 'http://localhost:5000/v3/endpoints/<ENDPOINT-ID>'},
>               'name': 'My disabled',
>               'region': None,
>               'service_id': '<SERVICE-ID>',
>               'url': 'disabled_URL'}}

Now request token and see that it's catalog/endpoints part contains:
> localhost:5000
> POST /v3/auth/tokens
> '{"auth":{
>  "identity":
>    {"methods":["password"],
>     "password":{
>       "user":{"name":"admin","domain":{"id":"default"},"password":"pass"}}},
>  "scope":{"project":{"name":"admin","domain":{"id":"default"}}}}}
snippet of response:
> {'token': {'catalog': [
> ...
>   {'endpoints': [{'enabled': False,
>                  'id': '<ENDPOINT-ID>',
>                  'interface': 'public',
>                  'legacy_endpoint_id': None,
>                  'name': 'My disabled',
>                  'region': None,
>                  'url': 'disabled_URL'}],
>    'id': '<SERVICE-ID>',
>    'type': 'testing'},
> ...

Also it gets listed in response of `keystone catalog` (API v2):
> # keystone catalog --service testing
> Service: testing
> +-----------+----------------------------------+
> |  Property |              Value               |
> +-----------+----------------------------------+
> |     id    |        <ENDPOINT-ID>             |
> | publicURL |        disabled_URL              |
> |   region  |                                  |
> +-----------+----------------------------------+

The same example applies to Service with enabled=false.

See https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#endpoints-v3endpoints for description of enabled attribute for Endpoint.

And https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#services-v3services for description of Service.
Comment 7 Udi Kalifon 2014-07-03 14:15:46 UTC 
Verified in:
openstack-keystone-2014.1-5.el7ost.noarch
python-keystone-2014.1-5.el7ost.noarch
python-keystoneclient-0.9.0-1.el7ost.noarch
Comment 9 errata-xmlrpc 2014-07-08 15:23:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0854.html