Comment 1 for bug 1716344

It took some time to narrow down the problem. The issue was introduced with the Pike release, where project id verification for flavor access and quota modification got added.

The problem is caused by class "nova/api/openstack/identity.py" (line 37-42):
...
resp = sess.get('/projects/%s' % project_id,
                endpoint_filter={
                    'service_type': 'identity',
                    'version': (3, 0)
                },
                raise_exc=False)
...
Keystone's endpoint is retrieved from the service catalog without any configuration option which interface to use. The session calls the method "get_endpoint(...)" of the authentication plugin "_ContextAuthPlugin" provided by "nova/context.py" which forwards the call to the method "url_for" of "keystoneauth/keystoneauth1/access/service_catalog.py" where the default value "public" for the "interface" parameter gets applied.

To solve this, we must add a configuration option and tell nova which interface to use for looking up the "identity" service type from the service catalog.

Is there really no other way possible to retrieve the endpoint of the identity service?