Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 970098 - Keystone API v3 lists disabled endpoints and services in catalog
Keystone API v3 lists disabled endpoints and services in catalog
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 5.0 (RHEL 7)
Assigned To: Adam Young
Jeremy Agee
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-06-03 09:06 EDT by Pavel Sedlák
Modified: 2016-04-26 18:29 EDT (History)
7 users (show)

See Also:
Fixed In Version: openstack-keystone-2014.1-4.el7ost
Doc Type: Enhancement
Doc Text:
Previously, the service catalog used to return all endpoints, regardless of status. This meant that disabled endpoints were displayed as well. Now, only enabled endpoints are returned by default.
Story Points: ---
Clone Of:
Last Closed: 2014-07-08 11:23:37 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1273867 None None None Never
Red Hat Product Errata RHEA-2014:0854 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement - Identity 2014-07-08 15:22:33 EDT

  None (edit)
Description Pavel Sedlák 2013-06-03 09:06:04 EDT
Description of problem:
When endpoint or service has "enabled" attribute set to "False", it is still listed in catalog (`keystone catalog` command and/or in catalog part of token.

Create testing service (simplifies output later):
> localhost:5000
> POST /v3/services
> '{"service":{"name":"My svc","type":"testing"}}'
> {'service': {'id': '<SERVICE-ID>',
>              'links': {'self': 'http://localhost:5000/v3/services/<SERVICE-ID>'},
>              'name': 'My svc',
>              'type': 'testing'}}

Create disabled endpoint:
> localhost:5000
> POST /v3/endpoints
> '{"endpoint":{
>    "enabled":false,
>    "name":"My disabled",
>    "interface":"public",
>    "url":"disabled_URL",
>    "service_id":"<SERVICE-ID>"}}'
> {'endpoint': {'enabled': False,
>               'id': '<ENDPOINT-ID>',
>               'interface': 'public',
>               'links': {'self': 'http://localhost:5000/v3/endpoints/<ENDPOINT-ID>'},
>               'name': 'My disabled',
>               'region': None,
>               'service_id': '<SERVICE-ID>',
>               'url': 'disabled_URL'}}

Now request token and see that it's catalog/endpoints part contains:
> localhost:5000
> POST /v3/auth/tokens
> '{"auth":{
>  "identity":
>    {"methods":["password"],
>     "password":{
>       "user":{"name":"admin","domain":{"id":"default"},"password":"pass"}}},
>  "scope":{"project":{"name":"admin","domain":{"id":"default"}}}}}
snippet of response:
> {'token': {'catalog': [
> ...
>   {'endpoints': [{'enabled': False,
>                  'id': '<ENDPOINT-ID>',
>                  'interface': 'public',
>                  'legacy_endpoint_id': None,
>                  'name': 'My disabled',
>                  'region': None,
>                  'url': 'disabled_URL'}],
>    'id': '<SERVICE-ID>',
>    'type': 'testing'},
> ...

Also it gets listed in response of `keystone catalog` (API v2):
> # keystone catalog --service testing
> Service: testing
> +-----------+----------------------------------+
> |  Property |              Value               |
> +-----------+----------------------------------+
> |     id    |        <ENDPOINT-ID>             |
> | publicURL |        disabled_URL              |
> |   region  |                                  |
> +-----------+----------------------------------+

The same example applies to Service with enabled=false.

See https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#endpoints-v3endpoints for description of enabled attribute for Endpoint.

And https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#services-v3services for description of Service.
Comment 7 Udi 2014-07-03 10:15:46 EDT
Verified in:
Comment 9 errata-xmlrpc 2014-07-08 11:23:37 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.