OpenStack Identity (keystone)

Keystone endpoint can not resolve DNS

Bug #1506594 reported by Alfred Shen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Boris Bobrov
OpenStack Identity (keystone) mitaka-1 "m1"

Bug Description

Keystone does not seem to be able to resolve DNS, if endpoints were configured with hostname instead of IP.

MariaDB [keystone]> select * from endpoint where url like '%500%' or '%3535%';;
+----------------------------------+----------------------------------+-----------+----------------------------------+--------------------------------------+-------+---------+-----------+
| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |
+----------------------------------+----------------------------------+-----------+----------------------------------+--------------------------------------+-------+---------+-----------+
| 39cf5bb25fef4f01a1bc2b83f76ce8dd | 99c316ae7cbd449ebccfd6efe1c5d03c | admin | 439e97af7e4b43f9a3b0ee82e33751fe | http://vrrp01:35357/v2.0 | {} | 1 | RegionOne |
| 8a75236613354776b50b56c527fe3a75 | 99c316ae7cbd449ebccfd6efe1c5d03c | public | 439e97af7e4b43f9a3b0ee82e33751fe | http://vrrp01:5000/v2.0 | {} | 1 | RegionOne |

+----------------------------------+----------------------------------+-----------+----------------------------------+--------------------------------------+-------+---------+-----------+

root@ctl10:/var/log/apache2# keystone --debug user-list
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://vrrp01:35357/v2.0/tokens
INFO:urllib3.connectionpool:Starting new HTTP connection (1): vrrp01
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1699
DEBUG:keystoneclient.session:REQ: curl -g -i -X GET http://vrrp01:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}cfd888a32a64ee77e42524a2c15cb4547ab9d534"
No connection adapters were found for ' http://vrrp01:35357/v2.0/users'

Change endpoints to use IPs and keystone works normally.

MariaDB [keystone]> select * from endpoint where url like '%500%' or '%3535%';
+----------------------------------+----------------------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+
| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |
+----------------------------------+----------------------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+
| 8a75236613354776b50b56c527fe3a75 | 99c316ae7cbd449ebccfd6efe1c5d03c | public | 439e97af7e4b43f9a3b0ee82e33751fe | http://10.11.3.4:5000/v2.0 | {} | 1 | RegionOne |
| c4e486c0ebc241659f76c37b3917eaec | 99c316ae7cbd449ebccfd6efe1c5d03c | internal | 439e97af7e4b43f9a3b0ee82e33751fe | http://10.11.3.4:5000/v2.0 | {} | 1 | RegionOne |
+----------------------------------+----------------------------------+-----------+----------------------------------+----------------------------+-------+---------+-----------+

root@ctl10:/var/log/apache2# keystone --debug token-get
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to http://vrrp01:35357/v2.0/tokens
INFO:urllib3.connectionpool:Starting new HTTP connection (1): vrrp01
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 1699
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2015-10-15T19:36:25Z |
| id | 25789066641c4caf80be4173a96ae0b8 |
| tenant_id | 02f8e769e5e3430ca1e77582ba0d73e0 |
| user_id | 0815385ac2d044a6b524d8e05839b824 |

Revision history for this message
Boris Bobrov (bbobrov) wrote :

> ' http://vrrp01:35357/v2.0/users'

It seems that there is a space symbol in front of the url and it prevents the client from understanding the schema. You need to remove this space symbol.

Revision history for this message
David Stanek (dstanek) wrote :

We have intentionally avoided doing too much validation on the endpoint URLs for fear of rejecting good URLs. For this particular case I wouldn't be against making sure that the string doesn't have whitespace in it.

Boris Bobrov (bbobrov)
Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/235906

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/235906
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9dbc5ca16b3c359670d7c3073f3aef09088350cb
Submitter: Jenkins
Branch: master

commit 9dbc5ca16b3c359670d7c3073f3aef09088350cb
Author: Boris Bobrov <email address hidden>
Date: Fri Oct 16 16:03:29 2015 +0300

    Forbid non-stripped endpoint urls

    Endpoint urls should not start with a whitespace character.

    Change-Id: Ia8f998a0ca0e6249acbe23b1f8f1f894fae8123a
    Closes-Bug: 1506594

Changed in keystone:
status: In Progress → Fix Committed
Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Medium
milestone: none → mitaka-1
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 9.0.0.0b1

This issue was fixed in the openstack/keystone 9.0.0.0b1 development milestone.

Doug Hellmann (doug-hellmann)
Changed in keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.