if " include_service_catalog = False" configure, the token validation can't be redirected to correct keystone server in multi-keystone servers scenario

Why not distribute your Fernet keys to each region so that each "site" can validate each other's tokens? That was one of the design goals of Fernet.

The Fernet keys have already been distributed to each region, but there is issue, after I reported this bug https://bugs.launchpad.net/keystonemiddleware/+bug/1488347, Jamie proposed another solution configuring region_name to select the endpoint for token validation.

But after Jamie's patch merged, if you don't configure include_service_catalog ( include_service_catalog default value is True ), then the token validation could be routed to local KeyStone server in the same "site", but if include_service_catalog is set to False, the token validation will not be routed to the local KeyStone server, using region_name to filter the endpoint doesn't work.

The way I'm reading comment #2 feels like it's contradicting itself (I'm hung up on the "could" vs "will not"). If I'm following correctly (please correct me if I'm wrong):

1) When the service catalog is included, token validations are routed to the local keystone server.

2) When the service catalog is not included, token validations are routed... somewhere else.

Why is #2 bad when all regions share the same fernet keys and data backends? What fault occurs?

#2 is bad because the fernet token validation will be done in another site ( we want the token validation happened locally, so that no need the inter-site validation traffic, and other site's failure will not affect local site token validation, that's why the region_name configuration is introduced in the bug https://review.openstack.org/#/c/216579, and the long mail-list discussion: https://<email address hidden>/msg61656.html ).

That also means the bug reported in https://bugs.launchpad.net/keystonemiddleware/+bug/1488347 is not solved completely. No matter the "include_service_catalog" is configured or not, is configured to "True" or "False", if we want the Fernet token being validated locally, it should be done locally.

Okay, I just wanted to clarify that this is an optimization issue, and that you're not actually seeing a failure under normal circumstances. But, is identity_uri set in your configuration? I'm still not clear on which site is being used when include_service_catalog is False and region_name is set, nor why it's being chosen? How does it know of anything other than identity_uri in that case? (Do you have the same identity_uri configured in every region's auth_token middleware?)

Jamie: If include_service_catalog is False and region_name is set, should region_name be ignored in favor of using identity_uri?

I also don't see how this is specific to Fernet. Does the same behavior occur with UUID?

Hello, Dolph, please close the bug report.

I tried to verify it again after long travelling, this time it works, and I also traced into the source code, it return correct endpoint url even if I configure the " include_service_catalog = False" ( the region_name is correctly configured at the same time, the region_name is used to filter the endpoint ). That means Jamie's patch works (https://review.openstack.org/#/c/216579) .

I don't know why it doesn't work last time, because I use the docker container for multi-site cloud (multi-OpenStack instances) environment simulation, it's difficult for debugging.

Because the admin account is not affected by the " include_service_catalog" configuration to retrieve the endpoint information, so the filter "region_name" can be used to get the correct endpoint url for token validation. During the token validation request, the " include_service_catalog" will be considered, and if " include_service_catalog" is set to "False", then no service catalog will be return from KeyStone server after the token validated.

The region_name filter works to get the correct endpoint url for token validation in the "url_for" in "service_catalog.py"

service_catalog.py:

    def url_for(self, attr=None, filter_value=None,
                service_type='identity', endpoint_type='publicURL',
                region_name=None, service_name=None):

        if not self.get_data():
            raise exceptions.EmptyCatalog(_('The service catalog is empty.'))

        urls = self.get_urls(attr=attr,
                             filter_value=filter_value,
                             service_type=service_type,
                             endpoint_type=endpoint_type,
                             region_name=region_name,
                             service_name=service_name)

        try:
            return urls[0]
        except Exception:
            pass

[Expired for keystonemiddleware because there has been no activity for 60 days.]