Nova-API uses Keystone's public endpoint for project id verification
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
jichenjc | ||
Pike |
Fix Committed
|
Medium
|
jichenjc |
Bug Description
I have setup a fresh HA deployment of OpenStack Pike on Ubuntu 16.04. I recognized in the logs that Nova fails during vm creation with the following exception:
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
2017-09-11 09:31:28.909 5604 ERROR nova.api.
Keystone's public endpoint should only visible to external clients. All internal OpenStack services should use the internalURL for authentication purposes. I think my configuration is correct. The "auth_url" point to Keystone's internal URL, whereas "auth_uri" points to Keystone's public endpoint. I want to avoid https based communication for my internal cloud services.
$ openstack endpoint list | grep keystone
| 00a22bfee72141d
| 7178e534cb4e4c5
| f5ed3bba70274d7
################
nova.conf
################
...
[keystone_
auth_type = password
auth_uri = http://
auth_url = http://
memcached_servers = os-memcache:11211
password = novapass
project_domain_name = default
project_name = service
user_domain_name = default
username = nova
...
Can someone please have a look?
description: | updated |
summary: |
- Nova-API sometimes uses Keystone's public endpoint + Nova-API uses Keystone's public endpoint for project id verification |
description: | updated |
description: | updated |
Changed in nova: | |
assignee: | nobody → jichenjc (jichenjc) |
Changed in nova: | |
assignee: | jichenjc (jichenjc) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → jichenjc (jichenjc) |
It took some time to narrow down the problem. The issue was introduced with the Pike release, where project id verification for flavor access and quota modification got added.
The problem is caused by class "nova/api/ openstack/ identity. py" (line 37-42): '/projects/ %s' % project_id,
endpoint_ filter= {
' service_ type': 'identity',
' version' : (3, 0)
raise_ exc=False) ugin" provided by "nova/context.py" which forwards the call to the method "url_for" of "keystoneauth/ keystoneauth1/ access/ service_ catalog. py" where the default value "public" for the "interface" parameter gets applied.
...
resp = sess.get(
},
...
Keystone's endpoint is retrieved from the service catalog without any configuration option which interface to use. The session calls the method "get_endpoint(...)" of the authentication plugin "_ContextAuthPl
To solve this, we must add a configuration option and tell nova which interface to use for looking up the "identity" service type from the service catalog.
Is there really no other way possible to retrieve the endpoint of the identity service?