Description of problem: When I was invoking a GET request to public endpoint of Keystone, I found the admin endpoint URL in response body, I assume it should be the public endpoint URL: GET https://192.168.101.10:5000/v3 { "version": { "status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" }, { "base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml" } ], "id": "v3.0", "links": [ { "href": "https://172.20.14.10:35357/v3/", "rel": "self" } ] } } =============================================================== Btw, I can get the right URL for public endpoint in the response body of the versionless API call: GET https://192.168.101.10:5000 { "versions": { "values": [ { "status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" }, { "base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml" } ], "id": "v3.0", "links": [ { "href": "https://192.168.101.10:5000/v3/", "rel": "self" } ] }, { "status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" }, { "base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml" } ], "id": "v2.0", "links": [ { "href": "https://192.168.101.10:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/content/", "type": "text/html", "rel": "describedby" }, { "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf", "type": "application/pdf", "rel": "describedby" } ] } ] } }
Just tested backport of commit 40c3942c12d1dd2c826d836987616838a73a64a1 and it fixes the problem. This will a deployer run Keystone on a port other than 5000/35357, which might be needed for firewall or network issues
verification failed for openstack-keystone-9.0.0-1.el7ost.noarch calling using the public endpoint looks correct: [stack@undercloud ~]$ curl http://10.0.0.101:5000/v3 | python -m json.tool { "version": { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" } } and also without version and with v2.0: [stack@undercloud ~]$ curl http://10.0.0.101:5000 | python -m json.tool { "versions": { "values": [ { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } ] } } [stack@undercloud ~]$ curl http://10.0.0.101:5000/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } } unfortunately, calling using the admin endpoint, it returns the public endpoint: [stack@undercloud ~]$ curl http://10.0.0.101:35357/v3 | python -m json.tool { "version": { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" } } although, without version and with v2.0, the results are correct: [stack@undercloud ~]$ curl http://10.0.0.101:35357 | python -m json.tool { "versions": { "values": [ { "id": "v3.6", "links": [ { "href": "http://10.0.0.101:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-04-04T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } ] } } [stack@undercloud ~]$ curl http://10.0.0.101:35357/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://10.0.0.101:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "stable", "updated": "2014-04-17T00:00:00Z" } }
The root of the issue is that public_endpoint is set in the config file, which forces the answer to a specific port. If that value is unset, the controller uses the request to determine what port to fill in. The value is set by Tripleo Heat templates in a Director deploy, such as: /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml:122: keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]} But even defaults to the server default, which comes from the Endpoint. If the value is left unset, however, it appears that an install will fail. It is possible that unsetting the value after deploy will be an effective work around.
The following change seems to make it work. $ diff /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml.orig /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml 122d121 < keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
*** Bug 1369881 has been marked as a duplicate of this bug. ***
verified for openstack-keystone-10.0.0-0. following the same tests made above: - public endpoint: # curl http://192.0.2.1:5000 | python -m json.tool { "versions": { "values": [ { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:5000/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } ] } } # curl http://192.0.2.1:5000/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:5000/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } } # curl http://192.0.2.1:35357/v3 | python -m json.tool { "version": { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" } } - admin endpoint: # curl http://192.0.2.1:35357 | python -m json.tool { "versions": { "values": [ { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" }, { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } ] } } # curl http://192.0.2.1:35357/v3 | python -m json.tool { "version": { "id": "v3.7", "links": [ { "href": "http://192.0.2.1:35357/v3/", "rel": "self" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v3+json" } ], "status": "stable", "updated": "2016-10-06T00:00:00Z" } } # curl http://192.0.2.1:35357/v2.0 | python -m json.tool { "version": { "id": "v2.0", "links": [ { "href": "http://192.0.2.1:35357/v2.0/", "rel": "self" }, { "href": "http://docs.openstack.org/", "rel": "describedby", "type": "text/html" } ], "media-types": [ { "base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json" } ], "status": "deprecated", "updated": "2016-08-04T00:00:00Z" } }
*** Bug 1368299 has been marked as a duplicate of this bug. ***
We need manual configuration change for OSP7
Explicitly remove the configuration value. in the file /etc/keystone/keystone.conf, comment out like this: [DEFAULT] #public_endpoint = <None>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html