nothing works when only externalURL available

That's by design. The :35357/v2.0/ is assumed to be a deployer-only management API on a secure network. In a real deployment, you should not assume that end users on the public internet should be able to access it, for example.

Exactly the same when I trying to use port 5000:

from keystoneclient.v2_0 import client
USERNAME, PASSWORD, TENANT, AUTH_URL = 'rally', 'rally', 'rally', 'http://172.18.200.196:5000/v2.0'
keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL)
keystone.authenticate()
print keystone.tenants.list()

Traceback (most recent call last):
  File "/tmp/k.py", line 5, in <module>
    print keystone.tenants.list()
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/v2_0/tenants.py", line 118, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/base.py", line 106, in _list
    resp, body = self.client.get(url)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/httpclient.py", line 590, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/httpclient.py", line 582, in _cs_request
    return self.request(url, method, **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/httpclient.py", line 564, in request
    resp = super(HTTPClient, self).request(url, method, **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/baseclient.py", line 21, in request
    return self.session.request(url, method, **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/session.py", line 257, in request
    resp = self._send_request(url, method, redirect, **kwargs)
  File "/home/sskripnick/code/python-keystoneclient/keystoneclient/session.py", line 286, in _send_request
    raise exceptions.ConnectionRefused(msg)
keystoneclient.openstack.common.apiclient.exceptions.ConnectionRefused: Unable to establish connection to http://192.168.0.2:35357/v2.0/tenants

But all works fine when I add `endpoint' argument:

from keystoneclient.v2_0 import client
USERNAME, PASSWORD, TENANT, AUTH_URL = 'rally', 'rally', 'rally', 'http://172.18.200.196:5000/v2.0'
keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT,
                         auth_url=AUTH_URL, endpoint=AUTH_URL)
keystone.authenticate()
print keystone.tenants.list()

With `endpoint' it works even with port 35357

What are you trying to accomplish with separate networks, if you're going to expose :35357 on both networks anyway?

Unless you should be calling a different client method (I can't recall if tenants.list() is overloaded somehow to call GET :5000/v2.0/tenants), the request in #2 looks like it should work - but I could be mistaken.

If it designed for not working from external net then why it is works when external `endpoint' is specified?

If it designed for working from external network then why it is trying to use internalURL/adminURL?

I can't find any documentation about `endpoint' and adminURL/internalURL/externalURL. Seems like this 3 urls are useless, and only one url can be used.

> If it designed for not working from external net then why it is works when external `endpoint' is specified?

See below - I'm assuming you mean "public" instead of "external" throughout this report, but some calls work on both interfaces (auth, etc), some calls work only one the public interface (see below), and the bulk of the API only works on the admin interface (but these are also the least frequently hit calls).

> If it designed for working from external network then why it is trying to use internalURL/adminURL?

It's trying to use the admin URL because you're trying to make an admin-only call. Most of the v2 API is non-public. The public API *does* support a GET :5000/v2.0/tenants call, but it's entirely different from the GET :35357/v2.0/tenants call, and may be exposed differently by the client library.

> I can't find any documentation about `endpoint' and adminURL/internalURL/externalURL. Seems like this 3 urls are useless, and only one url can be used.

There's actually not an "externalURL" defined anywhere - although that's an entirely appropriate name, it's defined by the specification as a "public" URL. The v3 API likely has the provides the definitions: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md

this is partly as designed and partly a very specific deployer issue. marking as invalid since there doesn't seem to be anything to fix here

HI:
   I have the same situation. But I hijack the connection. And it works!

cloud_cic_ip = None

def patched_new_conn(self):
    extra_kw = {}
    if self.source_address:
        extra_kw['source_address'] = self.source_address
    if self.socket_options:
        extra_kw['socket_options'] = self.socket_options
    try:
        if self.host == "192.168.0.2" and self.port == 35357:
            self.host = cloud_cic_ip
            self.port = 5000

        conn = connection.create_connection(
            (my_resolver(self.host), self.port), self.timeout, **extra_kw)
    except SocketTimeout as e:
        raise ConnectTimeoutError(
            self, "Connection to %s timed out. (connect timeout=%s)" %
                  (self.host, self.timeout))
    except SocketError as e:
        raise NewConnectionError(
            self, "Failed to establish a new connection: %s" % e)
    return conn

cloud_cic_ip = getCloudCICip()
requests.packages.urllib3.disable_warnings()
    requests.packages.urllib3.connection.HTTPConnection._new_conn = patched_new_conn
    sys.modules['requests'] = requests

and Now below code works well

keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL)
keystone.tenants.list()