Bug 1311165 - Keystone API GET 5000/v3 returns wrong endpoint URL in response body
Keystone API GET 5000/v3 returns wrong endpoint URL in response body
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
high Severity high
: rc
: 10.0 (Newton)
Assigned To: Adam Young
Rodrigo Duarte
: Triaged
: 1369881 (view as bug list)
Depends On:
Blocks: 1369066 1368299
  Show dependency treegraph
 
Reported: 2016-02-23 09:41 EST by Adam Young
Modified: 2017-01-25 01:47 EST (History)
12 users (show)

See Also:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-14 10:24:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1381961 None None None 2016-02-23 09:41 EST
OpenStack gerrit 368969 None None None 2016-09-16 13:20 EDT

  None (edit)
Description Adam Young 2016-02-23 09:41:12 EST
Description of problem:
When I was invoking a GET request to public endpoint of Keystone, I found the admin endpoint URL in response body, I assume it should be the public endpoint URL:
GET https://192.168.101.10:5000/v3

{
  "version": {
    "status": "stable",
    "updated": "2013-03-06T00:00:00Z",
    "media-types": [
      {
        "base": "application/json",
        "type": "application/vnd.openstack.identity-v3+json"
      },
      {
        "base": "application/xml",
        "type": "application/vnd.openstack.identity-v3+xml"
      }
    ],
    "id": "v3.0",
    "links": [
      {
        "href": "https://172.20.14.10:35357/v3/",
        "rel": "self"
      }
    ]
  }
}

===============================================================
Btw, I can get the right URL for public endpoint in the response body of the versionless API call:
GET https://192.168.101.10:5000

{
  "versions": {
    "values": [
      {
        "status": "stable",
        "updated": "2013-03-06T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v3+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v3+xml"
          }
        ],
        "id": "v3.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v3/",
            "rel": "self"
          }
        ]
      },
      {
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v2.0+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v2.0+xml"
          }
        ],
        "id": "v2.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v2.0/",
            "rel": "self"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/content/",
            "type": "text/html",
            "rel": "describedby"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf",
            "type": "application/pdf",
            "rel": "describedby"
          }
        ]
      }
    ]
  }
}
Comment 2 Adam Young 2016-02-23 10:47:54 EST
Just tested backport of commit 40c3942c12d1dd2c826d836987616838a73a64a1  and it fixes the problem.  This will a deployer run Keystone on a port other than 5000/35357, which might be needed for firewall or network issues
Comment 5 Rodrigo Duarte 2016-06-30 12:09:12 EDT
verification failed for openstack-keystone-9.0.0-1.el7ost.noarch

calling using the public endpoint looks correct:

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

and also without version and with v2.0:

[stack@undercloud ~]$ curl http://10.0.0.101:5000 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}

unfortunately, calling using the admin endpoint, it returns the public endpoint:

[stack@undercloud ~]$ curl http://10.0.0.101:35357/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

although, without version and with v2.0, the results are correct:

[stack@undercloud ~]$ curl http://10.0.0.101:35357 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}



[stack@undercloud ~]$ curl http://10.0.0.101:35357/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}
Comment 7 Adam Young 2016-09-08 00:10:04 EDT
The root of the  issue is that public_endpoint is set in the config file, which forces the answer to a specific port.  If that value is unset, the controller uses the request to determine what port to fill in.

The value is set by Tripleo Heat templates in a Director deploy, such as:

/usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml:122:        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}

But even defaults to the server default, which comes from the Endpoint.  If the value is left unset, however, it appears that an install will fail.

It is possible that unsetting the value after deploy will be an effective work around.
Comment 8 Adam Young 2016-09-12 11:43:17 EDT
The following change seems to make it work.


$ diff  /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml.orig /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
122d121
<         keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
Comment 9 Nathan Kinder 2016-09-22 15:51:30 EDT
*** Bug 1369881 has been marked as a duplicate of this bug. ***
Comment 11 Rodrigo Duarte 2016-10-03 23:03:46 EDT
verified for openstack-keystone-10.0.0-0.

following the same tests made above:

- public endpoint:

# curl http://192.0.2.1:5000  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:5000/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}

- admin endpoint:

# curl http://192.0.2.1:35357  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}



# curl http://192.0.2.1:35357/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}
Comment 13 Nathan Kinder 2016-11-04 13:20:24 EDT
*** Bug 1368299 has been marked as a duplicate of this bug. ***
Comment 14 Edu Alcaniz 2016-12-07 03:17:57 EST
We need manual configuration change for OSP7
Comment 16 Adam Young 2016-12-08 09:13:55 EST
Explicitly remove the configuration value.

in the file /etc/keystone/keystone.conf, comment out like this:

[DEFAULT]
#public_endpoint = <None>
Comment 18 errata-xmlrpc 2016-12-14 10:24:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.