Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware

Bug #1488347 reported by Chaoyi Huang
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Fix Released
Medium
Unassigned

Bug Description

Issue: Can't specify identity endpoint among several keystone servers in keystonemiddleware

A prototype was executed to verify that KeyStone fernet token can work in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions): https://etherpad.opnfv.org/p/multisite_identity_management.

the requirement is "a user should, using a single authentication point be able to manage virtual resources spread over multiple OpenStack regions"

We have two regions: Kista and Solna, each one with KeyStone server installed, these two keystone servers will have MySql cluster as the backend, and the master MySql cluster in Kista, the slave MySql cluster in Solna which will be configured for aync-replication from the Kista MySql cluster, therefore the data in KeyStone database.

root@51fa2177d59d:~# openstack endpoint list
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| 09977a67a5fd4231bf54bfdbfc311b4e | Solna | keystone | identity | True | internal | http://172.17.0.98:5000 |
| 18389f1ff42640cf905351a7f9b8a6f7 | Kista | glance | image | True | internal | http://172.17.0.41:9292 |
| 3bd662e362e24f45a9db2b77ad0682bb | Solna | glance | image | True | internal | http://172.17.0.119:9292 |
| 425b14d499264aa1bad8170a99afce88 | Kista | keystone | identity | True | admin | http://172.17.0.36:35357 |
| 60a02a99078642d0974843323bbb8836 | Solna | glance | image | True | public | http://172.17.0.119:9292 |
| 712d42d06ade4fedb8820e6f6ed33574 | Kista | glance | image | True | public | http://172.17.0.41:9292 |
| 8000a62a8406437dad4759960bad837f | Kista | keystone | identity | True | public | http://172.17.0.36:5000 |
| a7ec590712364e9f876f0b82d1879a99 | Kista | keystone | identity | True | internal | http://172.17.0.36:5000 |
| b253565ee000417ab9b3d7ab3f4b4d48 | Solna | keystone | identity | True | admin | http://172.17.0.98:35357 |
| bf9d05de9be64f5bb886959eb6bb367d | Solna | glance | image | True | admin | http://172.17.0.119:9292 |
| d1cb2f7d7d594199909b14a0004f37fe | Kista | glance | image | True | admin | http://172.17.0.41:9292 |
| eab9fbcb129741728bc72f36b72e27e2 | Solna | keystone | identity | True | public | http://172.17.0.98:5000 |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+

Even the glance in Solna is configured with Solna KeyStone server for the fernet token validation locally, the token validation request was still routed to Kista KeyStone, it doesn't work as expected.

The following dock describe the issue in detail: https://docs.google.com/document/d/1pvYWQprRH3jnzX2j-zQwAErdPWg9zwkguSyLx1EBKas/edit

And this doc provides a patch to show how to make the configuration item being in effect for token validation locally: https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit#

Revision history for this message
Dolph Mathews (dolph) wrote :

A related conversation is occurring on the mailing list [1]. It sounds like this is a regression with the introduction of auth plugins to keystonemiddleware (Jamie, correct me if I'm wrong), so you might want to try using an older version of keystonemiddleware as a workaround.

[1]: http://lists.openstack.org/pipermail/openstack-dev/2015-August/072521.html

affects: keystone → keystonemiddleware
Changed in keystonemiddleware:
importance: Undecided → Medium
Dolph Mathews (dolph)
Changed in keystonemiddleware:
status: New → Confirmed
Revision history for this message
Chaoyi Huang (joehuang) wrote :

Hello, please close this bug, for Jamie's patch (https://review.openstack.org/#/c/216579) merged, and I also verified/double-checked the impact of configuration item "include_service_catalog " in the https://bugs.launchpad.net/keystonemiddleware/+bug/1497251.

Revision history for this message
Steve Martinelli (stevemar) wrote :

bug originator says it's fixed, good enough for me

Changed in keystonemiddleware:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.