Links always use public endpoint
Bug #1235340 reported by
Haneef Ali
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
Link always uses public port. It should use the port based on the request.
e.g if the call is curl https:/
Changed in keystone: | |
status: | New → Triaged |
To post a comment you must log in.
It's actually using the public_endpoint configuration, which happens to consume the public_port value.
The public endpoint should always be accessible to any caller. In the case of v3, the port used doesn't matter, as the same exact same API capabilities are deployed on both :5000/v3/ and :35357/v3/ by default, and authorization is instead dictated by policy. In the long run, I don't see a need to have two distinct ports out of the box, although that should remain a deployment option that clients should be aware of.
What would make a more significant impact is if the caller accessed keystone on an internal interface (which is how "admin" should be deployed), and subsequently followed a link across a public interface unintentionally.
Leaving this as wishlist because we don't have a client intelligent enough to do this, yet.