Keystone POST /tokens response does not contain all endpoints
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Medium
|
Unassigned |
Bug Description
This scenario occurs under the following conditions:
* A service of a given type (for example 'compute') is registered in keystone.
* There are more than 1 endpoints in keystone for the associated service's type for a given region. For example there are 2 different endpoints in keystone, both for the compute service of the 'compute' type and both in the region 'RegionOne'.
In the above scenario a response from the POST /tokens API only returns a single endpoint per service type (per region). So for example in the above scenario my endpoint catalog in the POST /tokens response would only include 1 'compute' service endpoint -- the other is not returned.
Note that in this scenario you can still use the admin API for GET /services -- this will return all endpoints regardless of if there are multiple endpoints for a single service.
See keystone.
To repo use the SQL catalog driver:
* Define a service of type 'compute'
* Define 2 different endpoints which contain different urls but both endpoint definitions are for the service created in the previous step. Both of these endpoints should be defined using the same region.
* Use POST /tokens on keystone to to authenticate.
* Inspect the response token.
==> You will see it only includes 1 endpoint definition for the 'compute' service.
Example from my system using MySQL backed catalog:
(1) My keystone.service table has the following service defined:
| d0912023a0304d5
(2) My keystone.endpoint table has the following endpoints associated with that service:
| d2299650573a46c
| 80d2546f347d41f
| 27aeb73ff319405
(3) A POST /tokens response to obtain an admin user scoped token contains the following endpoints for 'compute':
"endpoints":[
{
},
{
}
],
"type"
"name":"nova"
},
As shown in the JSON snippet below, only 1 of the RegionOne compute endpoints is in the token's catalog.
Additional Notes:
* I don't believe this scenario is valid using the templated driver as it appears the template format is not robust enough to allow you to define multiple endpoint per service.. I could be wrong, but IMO something like SQL is more realistic anyway.
* There is a similar issue here if you try to define multiple services of the same type (for example 'compute') but each service having its own name and description. In this case you only get 1 of the services since the catalog is indexed by region/type and hence you get at most 1 service of a given type per region.
description: | updated |
Changed in keystone: | |
status: | Incomplete → New |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: blueprint |
Changed in keystone: | |
assignee: | Henrique Truta (henrique-4) → nobody |
In your templated catalog example, you're overriding the endpoints you just defined:
# fake compute service for now to help novaclient tests work RegionOne. compute. publicURL = http:// localhost:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. adminURL = http:// localhost:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. internalURL = http:// localhost:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. name = Compute Service
catalog.
catalog.
catalog.
catalog.
# 2nd compute endpoint for bug repo RegionOne. compute. publicURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. adminURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. internalURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionOne. compute. name = Compute Service
catalog.
catalog.
catalog.
catalog.
Change the second set to a different region and it should appear in the catalog:
# 2nd compute endpoint for bug repo RegionTwo. compute. publicURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionTwo. compute. adminURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionTwo. compute. internalURL = http:// localhost2:$(compute_ port)s/ v1.1/$( tenant_ id)s RegionTwo. compute. name = Compute Service
catalog.
catalog.
catalog.
catalog.