V3 version API through admin endpoint returns public_endpoint

Hi Yuki,

In most production cases - public_endpoint and admin_endpoint point to some load-balancer dedicated to internal or external traffic. The v3 API doesn't really have a need to be run on two separate ports since v3 will treat all requests the same, regardless of the port it received it on. This is unlike the v2.0 API, where the keystone application running on admin_endpoint was reserved for privileged use and the public_endpoint was not. So - if you were only using v3 in the deployment, a possible workaround would be to abstract https://ct-dmz-vip and http://ct-int-vip to a load balancer somewhere and set the following for your internal nodes:

[DEFAULT]
public_endpoint = https://ct-int-vip:5000
admin_endpoint = http://ct-int-vip:5000

As a result, the configuration for your external nodes would look like:

[DEFAULT]
public_endpoint = https://ct-dmz-vip:5000
admin_endpoint = http://ct-dmz-vip:5000

Hi Lance, thank you for the information.

I think it is a problem when using the OpenStack command-line clients.

I found that "openstack user list" command through admin endpoint uses v3 version API and uses the response body's URL(public endpoint) as follows:

###
$ export OS_AUTH_URL=http://ct-int-vip:25357/v3
$ openstack --insecure --debug user list
...
REQ: curl -g -i --insecure -X GET http://ct-int-vip:25357/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.1 python-requests/2.9.1 CPython/2.7.12"
Starting new HTTP connection (1): ct-int-vip
** "GET /v3 HTTP/1.1" 200 250 **
RESP: [200] Content-Length: 250 Vary: X-Auth-Token Server: Apache/2.4.18 (Ubuntu) Connection: close Date: Fri, 17 Feb 2017 02:57:05 GMT x-openstack-request-id: req-8d2b3dbe-8fe1-4a22-94f1-45d48de6b426 Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "https://ct-dmz-vip:5000/v3/", "rel": "self"}]}}
...
** Making authentication request to https://ct-dmz-vip:5000/v3/auth/tokens **
Starting new HTTPS connection (1): ct-dmz-vip
...
+----------------------------------+---------------------+
| ID | Name |
+----------------------------------+---------------------+
| 0ff8fe0ea0384268b75813f003f687dc | usrNeutron |
...
###

And, if I set public_endpoint to http://ct-int-vip:25357 (as admin endpoint), "openstack catalog list" command through public endpoint also uses v3 version API and uses the response body's URL(admin endpoint) as follows:

###
keystone.conf :
public_endpoint = http://ct-int-vip:25357
admin_endpoint = http://ct-int-vip:25357

$ export OS_AUTH_URL=https://ct-dmz-vip:5000/v3
$ openstack --insecure --debug catalog list
...
REQ: curl -g -i --insecure -X GET https://ct-dmz-vip:5000/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.1 python-requests/2.9.1 CPython/2.7.12"
Starting new HTTPS connection (1): ct-dmz-vip
...
*** "GET /v3 HTTP/1.1" 200 250 ***
RESP: [200] Content-Length: 250 Vary: X-Auth-Token Server: Apache/2.4.18 (Ubuntu) Connection: close Date: Fri, 17 Feb 2017 05:00:53 GMT x-openstack-request-id: req-4011d565-19e1-4782-a065-82527248b98e Content-Type: application/json X-Distribution: Ubuntu
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links": [{"href": "http://ct-int-vip:25357/v3/", "rel": "self"}]}}
...
*** Making authentication request to http://ct-int-vip:25357/v3/auth/tokens ***
Starting new HTTP connection (1): ct-int-vip
...
+----------+--------------+-----------------------------------------------------------------------------+
| Name | Type | Endpoints |
+----------+--------------+-----------------------------------------------------------------------------+
| neutron | ne...

That's exactly what the design was behind the v2.0 API. The admin endpoint was dedicated to admin-like operation (i.e. user management) and the public endpoint was for authentication and validation (basic user needs).

The v3 API removes that complexity and it doesn't require admins to use a different service endpoint in order to do admin operations (authorization is enforced through RBAC and policy instead). Making v3 support the decoupled service behavior that v2.0 did is unnecessary since we collapsed the "admin" and "public" apis of v2.0 into a single application when the v3 API was introduced.

I do agree that we should advertise the proper endpoint used in the request though. But as far as v3 is concerned, there is no need to stand up separate endpoints for special operations.

Thank you, Lance.
I understood the v3 API behavior.
I hope the v3 API will use public_endpoint and admin_endpoint properly in the future.

With the removal of the v2.0 API, the url of the request is used in the response. If I unset both admin_endpoint and public_endpoint from keystone.conf and make requests to keystone, I see the url of the request being used instead of an override from configuration. The configuration options give me a way to override that if needed.

[Expired for OpenStack Identity (keystone) because there has been no activity for 60 days.]