Bug 1311165 - Keystone API GET 5000/v3 returns wrong endpoint URL in response body
Summary: Keystone API GET 5000/v3 returns wrong endpoint URL in response body
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 10.0 (Newton)
Assignee: Adam Young
QA Contact: Rodrigo Duarte
URL:
Whiteboard:
: 1369881 (view as bug list)
Depends On:
Blocks: 1369066 1368299
TreeView+ depends on / blocked
 
Reported: 2016-02-23 14:41 UTC by Adam Young
Modified: 2017-01-25 06:47 UTC (History)
12 users (show)

Fixed In Version: openstack-tripleo-heat-templates-5.0.0-0.20160929150845.4cdc4fc.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 15:24:48 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 368969 None None None 2016-09-16 17:20:02 UTC
Launchpad 1381961 None None None 2016-02-23 14:41:12 UTC

Description Adam Young 2016-02-23 14:41:12 UTC
Description of problem:
When I was invoking a GET request to public endpoint of Keystone, I found the admin endpoint URL in response body, I assume it should be the public endpoint URL:
GET https://192.168.101.10:5000/v3

{
  "version": {
    "status": "stable",
    "updated": "2013-03-06T00:00:00Z",
    "media-types": [
      {
        "base": "application/json",
        "type": "application/vnd.openstack.identity-v3+json"
      },
      {
        "base": "application/xml",
        "type": "application/vnd.openstack.identity-v3+xml"
      }
    ],
    "id": "v3.0",
    "links": [
      {
        "href": "https://172.20.14.10:35357/v3/",
        "rel": "self"
      }
    ]
  }
}

===============================================================
Btw, I can get the right URL for public endpoint in the response body of the versionless API call:
GET https://192.168.101.10:5000

{
  "versions": {
    "values": [
      {
        "status": "stable",
        "updated": "2013-03-06T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v3+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v3+xml"
          }
        ],
        "id": "v3.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v3/",
            "rel": "self"
          }
        ]
      },
      {
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z",
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v2.0+json"
          },
          {
            "base": "application/xml",
            "type": "application/vnd.openstack.identity-v2.0+xml"
          }
        ],
        "id": "v2.0",
        "links": [
          {
            "href": "https://192.168.101.10:5000/v2.0/",
            "rel": "self"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/content/",
            "type": "text/html",
            "rel": "describedby"
          },
          {
            "href": "http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf",
            "type": "application/pdf",
            "rel": "describedby"
          }
        ]
      }
    ]
  }
}

Comment 2 Adam Young 2016-02-23 15:47:54 UTC
Just tested backport of commit 40c3942c12d1dd2c826d836987616838a73a64a1  and it fixes the problem.  This will a deployer run Keystone on a port other than 5000/35357, which might be needed for firewall or network issues

Comment 5 Rodrigo Duarte 2016-06-30 16:09:12 UTC
verification failed for openstack-keystone-9.0.0-1.el7ost.noarch

calling using the public endpoint looks correct:

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

and also without version and with v2.0:

[stack@undercloud ~]$ curl http://10.0.0.101:5000 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}

[stack@undercloud ~]$ curl http://10.0.0.101:5000/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}

unfortunately, calling using the admin endpoint, it returns the public endpoint:

[stack@undercloud ~]$ curl http://10.0.0.101:35357/v3 | python -m json.tool

{
    "version": {
        "id": "v3.6",
        "links": [
            {
                "href": "http://10.0.0.101:5000/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-04-04T00:00:00Z"
    }
}

although, without version and with v2.0, the results are correct:

[stack@undercloud ~]$ curl http://10.0.0.101:35357 | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.6",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-04-04T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://10.0.0.101:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}



[stack@undercloud ~]$ curl http://10.0.0.101:35357/v2.0 | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://10.0.0.101:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}

Comment 7 Adam Young 2016-09-08 04:10:04 UTC
The root of the  issue is that public_endpoint is set in the config file, which forces the answer to a specific port.  If that value is unset, the controller uses the request to determine what port to fill in.

The value is set by Tripleo Heat templates in a Director deploy, such as:

/usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml:122:        keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}

But even defaults to the server default, which comes from the Endpoint.  If the value is left unset, however, it appears that an install will fail.

It is possible that unsetting the value after deploy will be an effective work around.

Comment 8 Adam Young 2016-09-12 15:43:17 UTC
The following change seems to make it work.


$ diff  /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml.orig /usr/share/openstack-tripleo-heat-templates/puppet/services/keystone.yaml
122d121
<         keystone::public_endpoint: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}

Comment 9 Nathan Kinder 2016-09-22 19:51:30 UTC
*** Bug 1369881 has been marked as a duplicate of this bug. ***

Comment 11 Rodrigo Duarte 2016-10-04 03:03:46 UTC
verified for openstack-keystone-10.0.0-0.

following the same tests made above:

- public endpoint:

# curl http://192.0.2.1:5000  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:5000/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:5000/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:5000/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}

- admin endpoint:

# curl http://192.0.2.1:35357  | python -m json.tool

{
    "versions": {
        "values": [
            {
                "id": "v3.7",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2016-10-06T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://192.0.2.1:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "deprecated",
                "updated": "2016-08-04T00:00:00Z"
            }
        ]
    }
}

# curl http://192.0.2.1:35357/v3  | python -m json.tool

{
    "version": {
        "id": "v3.7",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2016-10-06T00:00:00Z"
    }
}



# curl http://192.0.2.1:35357/v2.0  | python -m json.tool

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://192.0.2.1:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "http://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "deprecated",
        "updated": "2016-08-04T00:00:00Z"
    }
}

Comment 13 Nathan Kinder 2016-11-04 17:20:24 UTC
*** Bug 1368299 has been marked as a duplicate of this bug. ***

Comment 14 Edu Alcaniz 2016-12-07 08:17:57 UTC
We need manual configuration change for OSP7

Comment 16 Adam Young 2016-12-08 14:13:55 UTC
Explicitly remove the configuration value.

in the file /etc/keystone/keystone.conf, comment out like this:

[DEFAULT]
#public_endpoint = <None>

Comment 18 errata-xmlrpc 2016-12-14 15:24:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.