If public_endpoint is set, the first call will be always public endpoint
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I have setup a keystone service(Mitaka) on ubuntu,
and it seems that the first call will always be to keystone's public api url,
when you have set "public_endpoint" in keystone.conf.
For example, when I do the following openstack commands, I always get the following error.
$ubuntu@client:~$ openstack token issue
Unable to establish connection to http://
The keystone's endpoint are like this:
public: http://
admin: http://
internal: http://
openstack client is installed in a client node, which is seperate to keystone node,
and this client node has no network access to public api network.
So if accessing to public api, this is expected, but I have set the env variables like this,
ubuntu@client:~$ env | grep OS_
OS_USER_
OS_PROJECT_
OS_IDENTITY_
OS_PASSWORD=
OS_AUTH_URL=http://
OS_USERNAME=admin
OS_INTERFACE=admin
OS_PROJECT_
Therefore, my expectation is that api access goes only through admin url.
I have tried also with internal api url, but get the same error.
And of course if the client node has public api network access, the openstack client worked perfectly.
Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly.
According to this:
https:/
"public" string is given, and here:
https:/
the string is being combined with "_endpoint", which will become "public_endpoint",
and if the url is set, this public url will be the initial access.
I have attached some info,
- /etc/keystone/
- /etc/apache2/
- output with debug option
That configuration options acts as a hard coded value for public endpoint [0]. If left unset - the service will generate the endpoint from the request environment [1]. Try unsetting public_endpoint if you can and see if that helps your internal clients. External clients using the public endpoint should have the same experience since they are using port 5000 for requests.
Let me know if that helps.
[0] https:/ /github. com/openstack/ keystone/ blob/025e844fc4 85c23be1de03347 3f3cadd7486b642 /keystone/ conf/default. py#L43- L49 /github. com/openstack/ keystone/ blob/025e844fc4 85c23be1de03347 3f3cadd7486b642 /keystone/ common/ wsgi.py# L330-L337
[1] https:/