V3 version API through admin endpoint returns public_endpoint
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Expired
|
Medium
|
Unassigned |
Bug Description
I use the following keystone.conf:
・・・
public_endpoint = https:/
admin_endpoint = http://
・・・
The v3 version API (GET /v3) through "public" endpoint returns response body with public_
###
curl -X GET -k https:/
{"version": {"status": "stable", "updated": "2016-04-
###
And, the v3 version API (GET /v3) through "admin" endpoint also returns response body with public_
###
curl -X GET http://
{"version": {"status": "stable", "updated": "2016-04-
###
On the other hand, the v2 version API (GET /v2.0) through "public" endpoint returns response body with public_
###
curl -X GET -k https:/
{"version": {"status": "stable", "updated": "2014-04-
###
And, the v2 version API (GET /v2.0) through "admin" endpoint returns response body with admin_endpoint(
###
curl -X GET http://
{"version": {"status": "stable", "updated": "2014-04-
###
It would be better that v3 version API through "admin" endpoint returns admin_endpoint, like v2 version API.
I think that it is caused by the following source code:
def v3_app_
・・・
sub_
return wsgi.ComposingR
summary: |
- V3 version API through admin returns public_endpoint + V3 version API through admin endpoint returns public_endpoint |
description: | updated |
description: | updated |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Hi Yuki,
In most production cases - public_endpoint and admin_endpoint point to some load-balancer dedicated to internal or external traffic. The v3 API doesn't really have a need to be run on two separate ports since v3 will treat all requests the same, regardless of the port it received it on. This is unlike the v2.0 API, where the keystone application running on admin_endpoint was reserved for privileged use and the public_endpoint was not. So - if you were only using v3 in the deployment, a possible workaround would be to abstract https:/ /ct-dmz- vip and http:// ct-int- vip to a load balancer somewhere and set the following for your internal nodes:
[DEFAULT] /ct-int- vip:5000 ct-int- vip:5000
public_endpoint = https:/
admin_endpoint = http://
As a result, the configuration for your external nodes would look like:
[DEFAULT] /ct-dmz- vip:5000 ct-dmz- vip:5000
public_endpoint = https:/
admin_endpoint = http://