python-openstackclient

Setting --os-identity-api-version=3 still uses v2

Bug #1260916 reported by Adam Young
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
python-keystoneclient
Fix Released
High
Dolph Mathews
python-keystoneclient 0.7.1
python-openstackclient
Invalid
Undecided
Adam Young

Bug Description

Tried to do

 openstack --os-identity-api-version=3 user create testname2 --password=testme --project=demo --domain=default

But the project lookup was failing as it was still attempting to do V2 lookup. Had to change the endpoint to v3 in the database, which does not provide a multi version mode. Just removing v2.0 from the endpoint should trigger the version discovery.

Adam Young (ayoung)
Changed in python-openstackclient:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
Adam Young (ayoung) wrote :

Specificially:

get clone both python-keystoneclient and python-openstackclient. run the unit tests to initialize the venvs, and then activate the venv for python-openstackclient:

cd /opt/stack/python-openstackclient
 . .tox/py27/bin/activate

cd /opt/stack/python-keystoneclient
python setup.py install

then
 . ~/keystone.rc
openstack user list

ERROR: cliff.app Authorization Failed: The resource could not be found. (HTTP 404)

In the keystone log see:
"POST /v3/tokens HTTP/1.1" 404 228 0.001890

Revision history for this message
Steve Martinelli (stevemar) wrote :

What's your keystone.rc file look like? (Or maybe just post your env variables here, too?)

Revision history for this message
Adam Young (ayoung) wrote :

The above was wrong: I was still messing with keystone.rc as you suspected.

The real problem is in the endpoints returned from the Service catalog: we've documented all over the place that they are supposed to have the version string in them.

If the endpoint as reportd by Keystone is v2.0, a v3 call is going to go to the wrong url.

Revision history for this message
Wei Wang (damon-devops) wrote :
Download full text (4.2 KiB)

That's insteresting, i have tried keystone --os-identity-api-version 3.0 --debug user-list and it shows like this:

[root@controller ~]# keystone --os-identity-api-version 3.0 --debug user-list
REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
REQ BODY: {"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "123456"}}}

RESP: [200] {'date': 'Sat, 22 Feb 2014 07:51:27 GMT', 'content-type': 'application/json', 'content-length': '6301', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2014-02-22T07:51:27.602770", "expires": "2014-02-23T07:51:27Z", "id": "MIILTQYJK ... Ek8Dzkeiflig=", "tenant": {"description": "Admin Tenant", "enabled": true, "id": "ad21fc93de544f76884f954ac95eb6aa", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://controller:8774/v2/ad21fc93de544f76884f954ac95eb6aa", "region": "regionOne", "internalURL": "http://controller:8774/v2/ad21fc93de544f76884f954ac95eb6aa", "id": "9fb91d052ad94a81b244330383e68868", "publicURL": "http://controller:8774/v2/ad21fc93de544f76884f954ac95eb6aa"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://controller:9696", "region": "regionOne", "internalURL": "http://controller:9696", "id": "33608610627246608491f931aa58ff0f", "publicURL": "http://controller:9696"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "http://controller:8776/v2/ad21fc93de544f76884f954ac95eb6aa", "region": "regionOne", "internalURL": "http://controller:8776/v2/ad21fc93de544f76884f954ac95eb6aa", "id": "248380da68154aeebf7df631f854e3f8", "publicURL": "http://controller:8776/v2/ad21fc93de544f76884f954ac95eb6aa"}], "endpoints_links": [], "type": "volumev2", "name": "cinderv2"}, {"endpoints": [{"adminURL": "http://controller:9292", "region": "regionOne", "internalURL": "http://controller:9292", "id": "0c7dcb073d0141cdb9b62051e7bf44c1", "publicURL": "http://controller:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://controller:8776/v1/ad21fc93de544f76884f954ac95eb6aa", "region": "regionOne", "internalURL": "http://controller:8776/v1/ad21fc93de544f76884f954ac95eb6aa", "id": "4d6e60d5b6fa47a596d5d5106df44716", "publicURL": "http://controller:8776/v1/ad21fc93de544f76884f954ac95eb6aa"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "33847585ea474b389dc9347bbc2641e0", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "67632785df764cb8b5c4158abcd653a6", "roles": [{"name": "admin"}, {"name": "_member_"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["2fbf0fbfc9a448f98be1d4df59472cdd", "9fe2ff9ee4384b1894a90878d3e92bab"]}}}

REQ: curl -i -X GET http://controller:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: MIILTQYJ ... Ek8Dzkeiflig="
RESP...

Read more...

Revision history for this message
Wei Wang (damon-devops) wrote :

And I find this in test_shell.py:

# Test os-identity-api-version fall back to 2.0
shell('--os-identity-api-version 3.0 user-list')
assert do_tenant_mock.called
self.assertTrue(b.os_identity_api_version, '2.0')

This means the program is desiged to use 2.0.

Revision history for this message
Steve Martinelli (stevemar) wrote :

Wei Wang,

by issuing `keystone xxxx` commands, you are using keystoneclient, which only supports v2.
The tests in test_shell are for the shell of keystoneclient (which handles the `keystone xxx` related commands). Again, it only supports v2, so the behaviour you are seeing is correct.

Revision history for this message
Steve Martinelli (stevemar) wrote :

Adam, did you still want to keep the bug open, or change the title / open a new bug to reflect the problem of version discovery not working?

$ openstack endpoint list --long
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
 +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+
| 364dd9cacbf340e08c81d29e20248176 | RegionOne | keystone | identity | | public | http://10.0.2.15:5000/v3 |
| 7c7daf782c744d43a8001589e5550f23 | RegionOne | keystone | identity | | admin | http://10.0.2.15:35357/v3 |
| cfe2f6cf26bf46a982b130ad1dae8d81 | RegionOne | keystone | identity | | internal | http://10.0.2.15:5000/v3 |
 +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------+

$ openstack user list
+----------------------------------+-------+
| ID | Name |
 +----------------------------------+-------+
| 3d70b3b7c1784e438b81a3857c623f39 | demo |
| 9d7413499b6c4f55b67af8cb9e7f0164 | admin |
 +----------------------------------+-------+

From keystone server:
[22/Feb/2014 23:15:47] "GET /v3/services/7a524ae128664644beecc05bedf4aaa1 HTTP/1.1" 200 357 0.012829
...
[22/Feb/2014 23:16:11] "GET /v3/users HTTP/1.1" 200 775 0.017636

Revision history for this message
Steve Martinelli (stevemar) wrote :

Forgot to mention that the above example was meant to illustrate that if you have v3 in the urls for your enpoint set, then OSC/KSC will properly route the request.

Changed in python-openstackclient:
status: New → Invalid
Dolph Mathews (dolph)
Changed in python-keystoneclient:
importance: Undecided → High
status: New → Triaged
Dolph Mathews (dolph)
Changed in python-keystoneclient:
milestone: none → 0.7.1
OpenStack Infra (hudson-openstack)
Changed in python-keystoneclient:
assignee: nobody → Dolph Mathews (dolph)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/75731
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=af298011501182ea196b9e3c6b106b789052ee69
Submitter: Jenkins
Branch: master

commit af298011501182ea196b9e3c6b106b789052ee69
Author: root <email address hidden>
Date: Mon Feb 24 01:47:21 2014 +0100

    Adds to Keystone to convert V2 endpoints to V3

    The Domain Quota Management Driver uses the V3 Authentication Token.
    Also, it tries to contact Keystone for getting list of projects in a
    domain using V3 API like /v3/projects?domain_id=<id>. But the
    keystone v3/client.py default uses V2 API and hence code changed
    to convert V2 endpoints for V3 endpoints. This change is required
    to implement blue print domain-quota-driver-api

    Change-Id: If62ffc5e5252477bbe4d80f14c0a7653e11d5403
    Closes-Bug: 1260916

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.