Bug 1639183
| Summary: | [RHOSP10]openstack client requires access to keystone's v2.0 adminURL, when it really shouldn't | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Alex Stupnikov <astupnik> | |
| Component: | python-openstackclient | Assignee: | Julie Pichon <jpichon> | |
| Status: | CLOSED WONTFIX | QA Contact: | nlevinki <nlevinki> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 10.0 (Newton) | CC: | apevec, jpichon, lhh, nkinder, rmascena | |
| Target Milestone: | zstream | Keywords: | Triaged, ZStream | |
| Target Release: | 10.0 (Newton) | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1639184 1639185 (view as bug list) | Environment: | ||
| Last Closed: | 2018-12-13 16:56:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1639184, 1639185 | |||
Note: It appears someone just filed this upstream as well, https://storyboard.openstack.org/#!/story/2004105 . |
Description of problem: Keystone v2.0 provides different set of URLs for different kinds of requests: - adminurl: for admin requests - internalurl: for internal services - publicurl: for public requests Customer reported the following problem: openstackclient requires access to adminURL in cases when it is not needed. For example, every user should be able to create and list his EC2 credentials (""openstack ec2 credentials list"" command), but for some reason openstack client uses adminURL to process such requests and hangs if it is not available. Version-Release number of selected component (if applicable): I was able to reproduce this issue for RHOSP 10, RHOSP 11 and RHOSP 12 (keystone v2.0 was deprecated in Queens, so haven't checked it). How reproducible: Collect information about identity endpoint, get its URLs. Use EC2 commands with active verbose flags to create and list EC2 credentials: openstack -vv ec2 credentials create openstack -vv ec2 credentials list You will see that it pools adminURL (generally uses 35357 port). You could also block this URL with iptables and see that request will timeout. Expected results: User will be able to get his EC2 credentials without polling internal URL. Additional info: Though I report this issue for certain command, it seems that other commands are also affected and should be investigated. Workaround: Create DNAT rule that will DNAT adminURL to publicURL.