Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1639183

Summary: [RHOSP10]openstack client requires access to keystone's v2.0 adminURL, when it really shouldn't
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: python-openstackclientAssignee: Julie Pichon <jpichon>
Status: CLOSED WONTFIX QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: apevec, jpichon, lhh, nkinder, rmascena
Target Milestone: zstreamKeywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1639184 1639185 (view as bug list) Environment:
Last Closed: 2018-12-13 16:56:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1639184, 1639185    

Description Alex Stupnikov 2018-10-15 09:01:07 UTC
Description of problem:

Keystone v2.0 provides different set of URLs for different kinds of requests:

- adminurl: for admin requests
- internalurl: for internal services
- publicurl: for public requests

Customer reported the following problem: openstackclient requires access to adminURL in cases when it is not needed. For example, every user should be able to create and list his EC2 credentials (""openstack ec2 credentials list"" command), but for some reason openstack client uses adminURL to process such requests and hangs if it is not available.

Version-Release number of selected component (if applicable):

I was able to reproduce this issue for RHOSP 10, RHOSP 11 and RHOSP 12 (keystone v2.0 was deprecated in Queens, so haven't checked it).


How reproducible:

Collect information about identity endpoint, get its URLs.

Use EC2 commands with  active verbose flags to create and list EC2 credentials:

openstack -vv ec2 credentials create
openstack -vv ec2 credentials list

You will see that it pools adminURL (generally uses 35357 port). You could also block this URL with iptables and see that request will timeout.


Expected results:

User will be able to get his EC2 credentials without polling internal URL.


Additional info:

Though I report this issue for certain command, it seems that other commands are also affected and should be investigated.


Workaround:

Create DNAT rule that will DNAT adminURL to publicURL.

Comment 2 Julie Pichon 2018-10-17 11:14:24 UTC
Note: It appears someone just filed this upstream as well, https://storyboard.openstack.org/#!/story/2004105 .