OpenStack Identity (keystone)

templated Catalog backend does not support listing services or endpoints

Bug #1156298 reported by Jay Pipes
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
David Stanek
OpenStack Identity (keystone) mitaka-3 "m3"

Bug Description

Recently we switched from using the SQL backend for the Catalog Keystone component to using the templated Catalog backend. We switched for performance reasons -- SQL connection performance over WAN was unacceptable -- as well as the fact that novaclient and the Keystone API itself apparently has no way of filtering endpoints based on an availability zone, and the client simply picks the first compute endpoint it finds in the region

Sidenote: did nobody think about cases where there is >1 availability zone per region? :( See my summit proposal on this topic: http://summit.openstack.org/cfp/edit/114

Anyway, I got the templated Catalog backend going without too much fuss, but then I noticed the following:

<email address hidden> 18:38:14:~# keystone service-list
No handlers could be found for logger "keystoneclient.client"
Unable to communicate with identity service: 404 Not Found

The resource could not be found.

   . (HTTP 404)
<email address hidden> 18:38:18:~# keystone endpoint-list
No handlers could be found for logger "keystoneclient.client"
Unable to communicate with identity service: 404 Not Found

The resource could not be found.

   . (HTTP 404)
<email address hidden> 18:38:20:~# keystone catalog
Service: volume
+-------------+---------------------------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------------------------+
| adminURL | http://volume.dal2.tfoundry.com/v1/3bfaed94e4554e4c884b7f87d65e02e4 |
| internalURL | http://volume.dal2.tfoundry.com/v1/3bfaed94e4554e4c884b7f87d65e02e4 |
| publicURL | http://volume.dal2.tfoundry.com/v1/3bfaed94e4554e4c884b7f87d65e02e4 |
| region | ci |
+-------------+---------------------------------------------------------------------+
Service: image
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminURL | http://image.int.dal2.tfoundry.com:9292/v1 |
| internalURL | http://image.int.dal2.tfoundry.com:9292/v1 |
| publicURL | http://image.int.dal2.tfoundry.com:9292/v1 |
| region | ci |
+-------------+--------------------------------------------+
Service: compute
+-------------+-----------------------------------------------------------------------+
| Property | Value |
+-------------+-----------------------------------------------------------------------+
| adminURL | https://compute.dal2.tfoundry.com/v2/3bfaed94e4554e4c884b7f87d65e02e4 |
| internalURL | https://compute.dal2.tfoundry.com/v2/3bfaed94e4554e4c884b7f87d65e02e4 |
| publicURL | https://compute.dal2.tfoundry.com/v2/3bfaed94e4554e4c884b7f87d65e02e4 |
| region | ci |
+-------------+-----------------------------------------------------------------------+
Service: ec2
+-------------+----------------------------------------------+
| Property | Value |
+-------------+----------------------------------------------+
| adminURL | https://ec2.dal2.tfoundry.com/services/Cloud |
| internalURL | https://ec2.dal2.tfoundry.com/services/Cloud |
| publicURL | https://ec2.dal2.tfoundry.com/services/Cloud |
| region | ci |
+-------------+----------------------------------------------+
Service: identity
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminURL | https://auth.dal2.tfoundry.com/v2.0/ |
| internalURL | https://auth.dal2.tfoundry.com:35357/v2.0/ |
| publicURL | https://auth.dal2.tfoundry.com/v2.0/ |
| region | ci |
+-------------+--------------------------------------------+

The service and endpoint lists should be trivial to implement since the catalog already contains this information. In addition, the error message returned from keystone service-list and keystone endpoint-list should be a 501 Not Implemented, not a 404 Not Found.

Note that this affects both Folsom and trunk.

Jay Pipes (jaypipes)
Changed in keystone:
assignee: nobody → Jay Pipes (jaypipes)
Revision history for this message
Jay Pipes (jaypipes) wrote :

Note that this is due to the way the KVS catalog driver works... it is not written to account for when a user/tenant catalog KVS item does not exist, and so switching to templated catalog and doing a keystone user-list will result in a 404 Not Found being returned by Keystone. :(

Revision history for this message
David Hill (david-hill-ubisoft) wrote :

I'm not sure if it's the same bug we're experiencing but, "keystone endpoint-list" is returning:
The action you have requested has not been implemented. (HTTP 501)

and if I use the SQL backend instead, well it's even worse!
No handlers could be found for logger "keystoneclient.v2_0.client"
Unable to communicate with identity service: 404 Not Found

The resource could not be found.

   . (HTTP 404)

I'm trying to get quantum to work and I /think/i it's because we have 0 endpoint in the Database ... I was trying to create one when I hit this wall too.

Revision history for this message
Dolph Mathews (dolph) wrote :

David: I suspect you're hitting port 5000 rather than port 35357.

Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Dolph Mathews (dolph) wrote :

Unassigning due to inactivity.

Changed in keystone:
assignee: Jay Pipes (jaypipes) → nobody
Lin Hua Cheng (lin-hua-cheng)
Changed in keystone:
assignee: nobody → Lin Hua Cheng (lin-hua-cheng)
David Stanek (dstanek)
Changed in keystone:
assignee: Lin Hua Cheng (lin-hua-cheng) → David Stanek (dstanek)
Revision history for this message
David Moreau Simard (dmsimard) wrote :

Just cross-referencing an apparently related bug: https://bugs.launchpad.net/keystone/+bug/1367113

Revision history for this message
David Stanek (dstanek) wrote :

I think https://review.openstack.org/#/c/158442/ got this pretty much done.

Changed in keystone:
milestone: none → mitaka-3
status: Confirmed → Fix Committed
Revision history for this message
Steve Martinelli (stevemar) wrote :

David, agreed, I'll mark it as released, since that's what we do now when a patch closes the bug

Changed in keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.