auth_token sems to ignore settings for auth_url and use catalog endpoint for keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystoneauth |
Opinion
|
Undecided
|
Unassigned |
Bug Description
Just upgraded to mitaka and we've found that eg. in glance we configure auth_token like:
[keystone_
auth_url = http://
auth_uri = http://
(I've also tried adding /v3 on the end of these urls too)
But for some things auth_token seems to be trying to hit the endpoint that is in the catalog. The one I've caught is for downloading the revocation list.
The request ends up working but it takes ages because in our environment this host can't communicate to keystone via the endpoint in the auth catalog.
In the logs I see
WARNING keystoneauth.
(also seems to use a v2.0 endpoint which we are trying to get rid of)
This worked in liberty but seems to have changed in mitaka.
versions
keystonemiddlew
keystoneauth1=
python-
description: | updated |
Looks like this is related to keystoneauth [0] and not keystonemiddleware. So, just for clarification, your keystone endpoint in the catalog is not accessible from where the other services are. Instead the other services, specifically keystonemiddleware, must use some internal URL (http:// 127.0.0. 1:5000 and http:// 127.0.0. 1:35357 in your example) because they are not allowed to reach out to other services?
[0] https:/ /github. com/openstack/ keystoneauth/ blob/b6f8648177 f55423e76574db7 4dc511b0f89702d /keystoneauth1/ identity/ base.py# L231-L241