OpenStack Dashboard (Horizon)

horizon ignores region for identity

Bug #1339382 reported by Matt Fischer on 2014-07-08

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Medium	Eric Peterson	OpenStack Dashboard (Horizon) 2014.2 "juno"
	Icehouse	Fix Released	Undecided	Unassigned	OpenStack Dashboard (Horizon) 2014.1.5

Bug Description

In our setup we have multiple regions with an identity endpoint in each. For some reason Horizon ignores regions for idenity and just returns the first one in the list.

in openstack_dashboard/api/base.py
def get_url_for_service(service, region, endpoint_type):
    identity_version = get_version_from_service(service)
    for endpoint in service['endpoints']:
        # ignore region for identity
        if service['type'] == 'identity' or region == endpoint['region']:
            try:
...

This causes the openrc file generation to include the first identity endpoint always and it always shows the first one in the endpoint list.

See original description

Tags:

Matt Fischer (mfisch) on 2014-07-08

Changed in horizon:
assignee:	nobody → Matt Fischer (mfisch)
status:	New → In Progress

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-07-08:

Unassigning myself as this issue is more than the openrc file. This was an intentional decision and so perhaps someone who works on Horizon can explain it.

summary:	- openrc does not use region to find auth_url + horizon ignores region for identity
description:	updated
Changed in horizon:
assignee:	Matt Fischer (mfisch) → nobody
status:	In Progress → New

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-07-08:

Screen Shot 2014-07-08 at 4.28.13 PM.png Edit (128.8 KiB, image/png)

Note in the screencap that in the region I'm in all the endpoints should be "d....", yet for identity it picks the first in the list "c..."

Revision history for this message

David Lyle (david-lyle) wrote on 2014-07-11:

Identity is intended to be global for a region. Other keystone endpoints would require re-authentication against that endpoint. Specifying identity that way is done in local_settings.py.

See:
# For multiple regions uncomment this configuration, and add (endpoint, title).
# AVAILABLE_REGIONS = [
# ('http://127.0.0.1:5000/v2.0', 'Region 1'),
# ('http://10.0.2.15:5000/v2.0', 'Region 2'),
# ]

I think you have a configuration problem rather than a bug.

Changed in horizon:
status:	New → Invalid

Revision history for this message

Matt Fischer (mfisch) wrote on 2014-07-11:

Even when setting the available regions, Horizon is always talking to the first Identity endpoint in the list, ignoring what's in that region list except for the initial login. This does not seem to be the correct behavior. In our case the identity system is global but the we have separate VIPs per geographic region. When Horizon chooses to only talk to one geographic region regardless it add a single point of failure.

In this example, I'm signing into a region "West" which has a defined endpoint of http://d...

Sign-in:

2014-07-11 19:02:59,575 24827 DEBUG keystoneclient.session REQ: curl -i -X POST http://d:5000/v2.0/tokens -H ...

After I get the catalog, Horizon says "well I'll just use the first one I find"

And all subsequent calls do this, talking to "C" which is 1500 miles away.

2014-07-11 19:03:01,334 24829 DEBUG keystoneclient.session REQ: curl -i -X POST http://c:5000/v2.0/tokens

While this works, since our Identity is global, it is inefficient. It also causes all generated OPENRC files to point to the same place, thereby propagating this inefficiency and SPOF to our users.

Changed in horizon:
status:	Invalid → New

Gary W. Smith (gary-w-smith) on 2014-08-28

tags:

added: keystone

Revision history for this message

David Lyle (david-lyle) wrote on 2014-09-15:

There is some nuance here, where there may not be a keystone endpoint for every region. If there is, use it. If not use first one found.

Changed in horizon:
importance:	Undecided → Medium
milestone:	none → juno-rc1
status:	New → Confirmed
assignee:	nobody → David Lyle (david-lyle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-17: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122174

Changed in horizon:
assignee:	David Lyle (david-lyle) → Eric Peterson (ericpeterson-l)
status:	Confirmed → In Progress

David Lyle (david-lyle) on 2014-09-22

Changed in horizon:
milestone:	juno-rc1 → kilo-1
milestone:	kilo-1 → juno-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-23: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/122174
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=88371c666083e2d02527f45e3e4415b657ab893f
Submitter: Jenkins
Branch: master

commit 88371c666083e2d02527f45e3e4415b657ab893f
Author: eric <email address hidden>
Date: Wed Sep 17 08:51:32 2014 -0600

horizon ignores region for identity service

    this change will attempt to use a identity service in the selected region
    when available. before the region for the identity service was always the first
    found

Change-Id: Idc64a32128bcee561cdbba956722adad0ee1eaf2
Closes-Bug: #1339382

Changed in horizon:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-10-03

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in horizon:
milestone:	juno-rc1 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-09: Fix proposed to horizon (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/133364

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-12: Fix merged to horizon (stable/icehouse)

Reviewed: https://review.openstack.org/133364
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4ff165c90b42b522b884382152d296b00473a99c
Submitter: Jenkins
Branch: stable/icehouse

commit 4ff165c90b42b522b884382152d296b00473a99c
Author: eric <email address hidden>
Date: Wed Sep 17 08:51:32 2014 -0600

horizon ignores region for identity service

    this change will attempt to use a identity service in the selected region
    when available. before the region for the identity service was always the first
    found

    Change-Id: Idc64a32128bcee561cdbba956722adad0ee1eaf2
    Closes-Bug: #1339382
    (cherry picked from commit 88371c666083e2d02527f45e3e4415b657ab893f)