tripleo

Token verification should use internal endpoint instead of admin endpoint

Bug #1899266 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Takashi Kajinami
tripleo victoria-3 "tripleo victoria"

Bug Description

Until the default value of the interface parameter in keystonemiddleware was changed in Victoria[1], keystonemiddleware uses admin endpoint for token veritifcation.

[1] https://github.com/openstack/keystonemiddleware/commit/8f9a596fffbb262481b32191a98b9169bc1618b1

In general we use internal endpoint for communication between components, so we should ensure that internal endpoint is used instead.

One more concern with using keystone admin endpoint is that outage of provisioning network can affect overcloud functionality because keystone admin endpoint is deployed on provisioning network by default.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/757295

Changed in tripleo:
assignee: nobody → Takashi Kajinami (kajinamit)
status: New → In Progress
Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → Medium
milestone: none → victoria-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/757295
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=37548ddb40598d9aaece12edf7e0ce4514431e27
Submitter: Zuul
Branch: master

commit 37548ddb40598d9aaece12edf7e0ce4514431e27
Author: Takashi Kajinami <email address hidden>
Date: Sun Oct 11 00:51:06 2020 +0900

    Enforce internal api for token verification

    This change enforces the usage of internal api for token verification,
    so that internal requests to keystone uses internal endpoint instead
    of admin endpoint which is deployed on provisioning network by default.

    Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
    Closes-Bug: #1899266

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/800020

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/800020
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/a10dee72cf4e89588834919c4f19fefbfb8590c0
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit a10dee72cf4e89588834919c4f19fefbfb8590c0
Author: Takashi Kajinami <email address hidden>
Date: Sun Oct 11 00:51:06 2020 +0900

    Enforce internal api for token verification

    This change enforces the usage of internal api for token verification,
    so that internal requests to keystone uses internal endpoint instead
    of admin endpoint which is deployed on provisioning network by default.

    Conflicts:
            deployment/heat/heat-base-puppet.yaml
            deployment/nova/nova-api-container-puppet.yaml

    Change-Id: I8b5ac36ff1da46844d18fa73f835175e52719a63
    Closes-Bug: #1899266
    (cherry picked from commit 37548ddb40598d9aaece12edf7e0ce4514431e27)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 12.4.5

This issue was fixed in the openstack/tripleo-heat-templates 12.4.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.