Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystonemiddleware |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Issue: Can't specify identity endpoint among several keystone servers in keystonemiddleware
A prototype was executed to verify that KeyStone fernet token can work in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions): https:/
the requirement is "a user should, using a single authentication point be able to manage virtual resources spread over multiple OpenStack regions"
We have two regions: Kista and Solna, each one with KeyStone server installed, these two keystone servers will have MySql cluster as the backend, and the master MySql cluster in Kista, the slave MySql cluster in Solna which will be configured for aync-replication from the Kista MySql cluster, therefore the data in KeyStone database.
root@51fa2177d5
+------
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+------
| 09977a67a5fd423
| 18389f1ff42640c
| 3bd662e362e24f4
| 425b14d499264aa
| 60a02a99078642d
| 712d42d06ade4fe
| 8000a62a8406437
| a7ec590712364e9
| b253565ee000417
| bf9d05de9be64f5
| d1cb2f7d7d59419
| eab9fbcb1297417
+------
Even the glance in Solna is configured with Solna KeyStone server for the fernet token validation locally, the token validation request was still routed to Kista KeyStone, it doesn't work as expected.
The following dock describe the issue in detail: https:/
And this doc provides a patch to show how to make the configuration item being in effect for token validation locally: https:/
Changed in keystonemiddleware: | |
status: | New → Confirmed |
A related conversation is occurring on the mailing list [1]. It sounds like this is a regression with the introduction of auth plugins to keystonemiddleware (Jamie, correct me if I'm wrong), so you might want to try using an older version of keystonemiddleware as a workaround.
[1]: http:// lists.openstack .org/pipermail/ openstack- dev/2015- August/ 072521. html