[openstack-dev] [keystone][heat] Migration to keystone v3 API questions
Steven Hardy
shardy at redhat.com
Thu Jan 23 11:21:47 UTC 2014
Hi all,
I've recently been working on migrating the heat internal interfaces to use
the keystone v3 API exclusively[1].
This work has mostly been going well, but I've hit a couple of issues which
I wanted to discuss, so we agree the most appropriate workarounds:
1. keystoneclient v3 functionality not accessible when catalog contains a
v2 endppoint:
In my test environment my keystone endpoint looks like:
http://127.0.0.1:5000/v2.0
And I'd guess this is similar to the majority of real deployments atm?
So when creating a keystoneclient object I've been doing:
from keystoneclient.v3 import client as kc_v3
v3_endpoint = self.context.auth_url.replace('v2.0', 'v3')
client = kc_v3.Client(auth_url=v3_endpoint, ...
Which, assuming the keystone service has both v2 and v3 API's enabled
works, but any attempt to use v3 functionality fails with 404 because
keystoneclient falls back to using the v2.0 endpoint from the catalog.
So to work around this I do this:
client = kc_v3.Client(auth_url=v3_endpoint, endpoint=v3_endpoint, ...
client.authenticate()
Which results in the v3 features working OK.
So my questions are:
- Is this a reasonable workaround for production environments?
- What is the roadmap for moving keystone endpoints to be version agnostic?
- Is there work ongoing to make the client smarter in terms of figuring out
what URL to use (version negotiation or substituting the appropriate path
when we are in an environment with a legacy v2.0 endpoint..)
2. Client (CLI) support for v3 API
What is the status re porting keystoneclient to provide access to the v3
functionality on the CLI?
In particular, Heat is moving towards using domains to encapsulate the
in-instance users it creates[2], so administrators will require some way to
manage users in a non-default domain, e.g to get visibility of what Heat is
doing in that domain and debug in the event of any issues.
If anyone can provide any BP links or insight that would be much
appreciated!
Thanks,
Steve
[1] https://blueprints.launchpad.net/heat/+spec/keystone-v3-only
[2] https://wiki.openstack.org/wiki/Heat/Blueprints/InstanceUsers
More information about the OpenStack-dev
mailing list