Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware

Bug #1488347 reported by Chaoyi Huang on 2015-08-25
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Medium
Unassigned

Bug Description

Issue: Can't specify identity endpoint among several keystone servers in keystonemiddleware

A prototype was executed to verify that KeyStone fernet token can work in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions): https://etherpad.opnfv.org/p/multisite_identity_management.

the requirement is "a user should, using a single authentication point be able to manage virtual resources spread over multiple OpenStack regions"

We have two regions: Kista and Solna, each one with KeyStone server installed, these two keystone servers will have MySql cluster as the backend, and the master MySql cluster in Kista, the slave MySql cluster in Solna which will be configured for aync-replication from the Kista MySql cluster, therefore the data in KeyStone database.

root@51fa2177d59d:~# openstack endpoint list
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| 09977a67a5fd4231bf54bfdbfc311b4e | Solna | keystone | identity | True | internal | http://172.17.0.98:5000 |
| 18389f1ff42640cf905351a7f9b8a6f7 | Kista | glance | image | True | internal | http://172.17.0.41:9292 |
| 3bd662e362e24f45a9db2b77ad0682bb | Solna | glance | image | True | internal | http://172.17.0.119:9292 |
| 425b14d499264aa1bad8170a99afce88 | Kista | keystone | identity | True | admin | http://172.17.0.36:35357 |
| 60a02a99078642d0974843323bbb8836 | Solna | glance | image | True | public | http://172.17.0.119:9292 |
| 712d42d06ade4fedb8820e6f6ed33574 | Kista | glance | image | True | public | http://172.17.0.41:9292 |
| 8000a62a8406437dad4759960bad837f | Kista | keystone | identity | True | public | http://172.17.0.36:5000 |
| a7ec590712364e9f876f0b82d1879a99 | Kista | keystone | identity | True | internal | http://172.17.0.36:5000 |
| b253565ee000417ab9b3d7ab3f4b4d48 | Solna | keystone | identity | True | admin | http://172.17.0.98:35357 |
| bf9d05de9be64f5bb886959eb6bb367d | Solna | glance | image | True | admin | http://172.17.0.119:9292 |
| d1cb2f7d7d594199909b14a0004f37fe | Kista | glance | image | True | admin | http://172.17.0.41:9292 |
| eab9fbcb129741728bc72f36b72e27e2 | Solna | keystone | identity | True | public | http://172.17.0.98:5000 |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+

Even the glance in Solna is configured with Solna KeyStone server for the fernet token validation locally, the token validation request was still routed to Kista KeyStone, it doesn't work as expected.

The following dock describe the issue in detail: https://docs.google.com/document/d/1pvYWQprRH3jnzX2j-zQwAErdPWg9zwkguSyLx1EBKas/edit

And this doc provides a patch to show how to make the configuration item being in effect for token validation locally: https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit#

Dolph Mathews (dolph) wrote :

A related conversation is occurring on the mailing list [1]. It sounds like this is a regression with the introduction of auth plugins to keystonemiddleware (Jamie, correct me if I'm wrong), so you might want to try using an older version of keystonemiddleware as a workaround.

[1]: http://lists.openstack.org/pipermail/openstack-dev/2015-August/072521.html

affects: keystone → keystonemiddleware
Changed in keystonemiddleware:
importance: Undecided → Medium
Dolph Mathews (dolph) on 2015-08-25
Changed in keystonemiddleware:
status: New → Confirmed
Chaoyi Huang (joehuang) wrote :

Hello, please close this bug, for Jamie's patch (https://review.openstack.org/#/c/216579) merged, and I also verified/double-checked the impact of configuration item "include_service_catalog " in the https://bugs.launchpad.net/keystonemiddleware/+bug/1497251.

Steve Martinelli (stevemar) wrote :

bug originator says it's fixed, good enough for me

Changed in keystonemiddleware:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers