change default keystone port away from 5000

Bug #1016321 reported by Joseph Heck
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Joseph Heck

Bug Description

Honestly the only reason is that I've heard some fairly direct feedback that port 5000 is that MS uPnP port and hence blocked by many corporate entities, so it's just a matter of a PITA and a slight bump in setup for those groups. Thought to honestly register another port with IANA like 35357 and put it in place - wanted to see if anyone screamed first.


On Jun 20, 2012, at 8:49 PM, Vaze, Mandar wrote:
"public_port" is configurable via keystone.conf - so if port 5000 is blocked in specific setup, it is trivial to change it to some other port.

why make so many changes (REST docs, XML docs, devstack, and the code) for a parameter that can be easily tweaked ?


-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Joseph Heck
Sent: Thursday, June 21, 2012 4:46 AM
To: <email address hidden> (<email address hidden>)
Subject: [Openstack] [keystone] Keystone on port 5000 - proposing change default port to 8770

At the risk of a terrible public tar and feathering...

I've learned that port 5000 (which Keystone is using for it's default public-token-auth stuff) is commonly blocked by many firewalls, as it's been registered as a Microsoft uPnP port.

I thought I'd go ahead and propose changing the default to 8770. I picked this number because it's close to the Nova ports in common use (8773, 8774, 8775, and 8776).

And yes, I'll submit updates to all REST docs, XML docs, devstack, and the code.

Revision history for this message
Joseph Heck (heckj) wrote :
Download full text (3.7 KiB)

Have requested a formal port from IANA for the public keystone port:

To whom it may concern:

This is an automatically generated message to notify you that we have
received your request, and it has been recorded in our ticketing
system with a reference number of 583461. To check the status
of your request, please see:

If you have any problems accessing this page, please contact
<email address hidden>.

There is no need to reply to this message right now. IANA staff will
review your message shortly.

If this message is in reply to a previously submitted ticket, it is
possible that the previous ticket has been marked as closed. As we
review this ticket, we will also review previous correspondence and
take appropriate action.

To expedite processing, and ensure our staff can view the full history
of this request, please make sure you include the follow exact text in
the subject line of all future correspondence on this issue:

        [IANA #583461]

You can also simply reply to this message, as this tag is already in
the subject line.

Thank you,

The Internet Assigned Numbers Authority
<email address hidden>


Application for a Port Number and/or Service Name

Assignee: Nebula <email address hidden>
Contact Person: Joe Heck <email address hidden>

Resource Request:

   [x] Port Number
   [x] Service Name

Transport Protocols:
   [x] TCP
   [ ] UDP
   [ ] SCTP
   [ ] DCCP

Service Code: []
Service Name: [openstack-id]
Desired Port Number: [8770]
Description: [public openstack identity api]

[The keystone service ( provides a reference implementation of authentication and authorization services for OpenStack - infrastructure as a service software]

Defined TXT Keys:

1. If broadcast/multicast is used, how and what for?

2. If UDP is requested, please explain how traffic is limited, and whether the
   protocol reacts to congestion.

3. If UDP is requested, please indicate whether the service is solely
   for the discovery of hosts supporting this protocol.

4. Please explain how your protocol supports versioning.
[The REST API is versioned within the URI using a standard versioning scheme across all OpenStack projects. ]

5. If your request is for more than one transport, please explain in
   detail how the protocol differs over each transport.
[Another openstack-id is also registered on port 35357, which is the administrative API port. The transports for public and administrative use are supported as defaulting to separate ports to allow for easier enforcement of security.]

6. Please describe how your protocol supports security. Note that presently
   there is no IETF consensus on when it is appropriate to use a second port
   for an insecure version of a protocol.
[If enabled, the protocol fully supports SSL encryption, and in future versions will support SSL server and client side authentication]

7. Please explain the state of development of your protocol.
[stable and in continued development - currently in V2, beginning implementation ...


Revision history for this message
Joseph Heck (heckj) wrote :
Revision history for this message
Joseph Heck (heckj) wrote :
Changed in keystone:
milestone: none → folsom-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master

Changed in keystone:
status: Triaged → In Progress
Joseph Heck (heckj)
Changed in keystone:
status: In Progress → Invalid
milestone: folsom-3 → none
Revision history for this message
Joseph Heck (heckj) wrote :

well, crap:


This message is to inform you that your request has been resolved.
without prejudice.

Thank you,

Pearl Liang

On Mon Jul 30 14:13:48 2012, pearl.liang wrote:

Thank you for the reply. We received the following comment from
the Port Experts team:

We don't assign a separate port for a subset of functions of a single
service. FWIW, port-based access control does not significantly enhance
security for admin-specific functions. In addition, port-based flow
control should be replaced with the flow label or ToS field-based.

Regarding the requested change for the service name for port 35357,
the expert team does not recommend approval of the name change. It
is better to keep the current name 'openstack-id'.

IANA concludes that this request and the modification request (ticket
#585246) will be administratively resolved without prejudice.

If you have questions, please let us know.

Thank you,

Pearl Liang

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.