Inconsistent api-paste.ini settings

Note, there are two places where auth_uri is used with port 5000, we should double check both:

section_neutron-install.xml:auth_uri=http://<replaceable>controller</replaceable>:5000
section_nova-controller.xml:auth_uri=http://<replaceable>controller</replaceable>:5000

Also reported here: http://docs.openstack.org/havana/install-guide/install/zypper/content/nova-controller.html#comment-1115283686

I'm trying different combinations of directives and ports in Nova api-paste.ini on my controller. Apparently auth_uri cannot replace auth_host/auth_protocol/auth_port. For example, disabling auth_host/auth_protocol/auth_port and enabling auth_uri with either http://controller:5000 or http://controller:35357 results in the following warnings/errors in nova-api.log when executing "nova image-list":

2013-11-11 17:36:12.502 7195 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2013-11-11 17:36:13.005 7195 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2013-11-11 17:36:14.008 7195 WARNING keystoneclient.middleware.auth_token [-] Retrying on HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2013-11-11 17:36:16.012 7195 ERROR keystoneclient.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2013-11-11 17:36:16.013 7195 WARNING keystoneclient.middleware.auth_token [-] Authorization failed for token [removed for brevity]
2013-11-11 17:36:16.014 7195 INFO keystoneclient.middleware.auth_token [-] Invalid user token - rejecting request
2013-11-11 17:36:16.023 7195 INFO nova.osapi_compute.wsgi.server [-] 172.24.247.52 "GET /v2/3b1bd021c8b842de946b3b9d9e7a3f20/images/detail HTTP/1.1" status: 401 len: 194 time: 3.5288041

Enabling auth_host/auth_protocol/auth_port, setting auth_port to 5000 or 35357, and disabling auth_uri results in the expected output when executing "nova image-list":

+--------------------------------------+---------------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 54cb10c9-c5d1-47fc-a1de-4f8d04efa6cf | cirros-0.3.1-x86_64 | ACTIVE | |
+--------------------------------------+---------------------+--------+--------+

However, the following warning appears in nova-api.log:

2013-11-11 17:45:53.316 7365 WARNING keystoneclient.middleware.auth_token [-] Configuring auth_uri to point to the public identity endpoint is required; clients may not be able to authenticate against an admin endpoint

Keeping auth_host/auth_protocol/auth_port enabled and enabling auth_uri with either http://controller:5000 or http://controller:35357 also results in the expected output when executing "nova image-list", but lacks the above warning in nova-api.log.

So, in the second configuration you presented, with the warning, does nova-api behave as expected afterwards? If so, the actual nova-api (and other services that share the same problem) should get a fix to prevent this warning from being thrown out. In other words, all main OpenStack projects should clarify this configuration aspect and opt for one way or the other (or maybe both, but not simultaneously, and without errors or warnings). Is there already any bug report on this?

Fix proposed to branch: master
Review: https://review.openstack.org/63308

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/63357

Reviewed: https://review.openstack.org/63308
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=56ef4d3085f6be34c0e1bb0a2b62f18bcc9f562f
Submitter: Jenkins
Branch: master

commit 56ef4d3085f6be34c0e1bb0a2b62f18bcc9f562f
Author: Matt Kassawara <email address hidden>
Date: Thu Dec 19 21:29:16 2013 -0700

    Clarified directives in Nova api-paste.ini

    Clarified directives in Nova api-paste.ini for controller and compute
    nodes based on a working configuration. Also cleaned up some
    formatting issues.

    Change-Id: I60408caff40934de85502b845627ddb2ebe83a27
    Closes-Bug: #1248001

Reviewed: https://review.openstack.org/63357
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=6852113145e485452dffb0338b9d2337b97deb15
Submitter: Jenkins
Branch: stable/havana

commit 6852113145e485452dffb0338b9d2337b97deb15
Author: Matt Kassawara <email address hidden>
Date: Thu Dec 19 21:29:16 2013 -0700

    Clarified directives in Nova api-paste.ini

    Clarified directives in Nova api-paste.ini for controller and compute
    nodes based on a working configuration. Also cleaned up some
    formatting issues.

    Change-Id: I60408caff40934de85502b845627ddb2ebe83a27
    Closes-Bug: #1248001
    (cherry picked from commit 56ef4d3085f6be34c0e1bb0a2b62f18bcc9f562f)

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.