[openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints

Jamie Lennox jamielennox at redhat.com
Tue Aug 25 07:37:37 UTC 2015



----- Original Message -----
> From: "Hans Feldt" <hans.feldt at ericsson.com>
> To: openstack-dev at lists.openstack.org
> Sent: Thursday, August 20, 2015 10:40:28 PM
> Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple	keystone endpoints
> 
> How do you configure/use keystonemiddleware for a specific identity endpoint
> among several?
> 
> In an OPNFV multi region prototype I have keystone endpoints per region. I
> would like
> keystonemiddleware (in context of glance-api) to use the local keystone for
> performing user token
> validation. Instead keystonemiddleware seems to use the first listed keystone
> endpoint in the
> service catalog (which could be wrong/non-optimal in most regions).
> 
> I found this closed, related bug:
> https://bugs.launchpad.net/python-keystoneclient/+bug/1147530

Hey, 

There's two points to this. 

* If you are using an auth plugin then you're right it will just pick the first endpoint. You can look at project specific endpoints[1] so that there is only one keystone endpoint returned for the services project. I've also just added a review for this feature[2].
* If you're not using an auth plugin (so the admin_X options) then keystone will always use the endpoint that is configured in the options (identity_uri).

Hope that helps,

Jamie


[1] https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst
[2] https://review.openstack.org/#/c/216579

> Thanks,
> Hans
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list