[openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints

Hans Feldt hans.feldt at ericsson.com
Tue Aug 25 09:06:13 UTC 2015 


On 2015-08-25 09:37, Jamie Lennox wrote:
>
>
> ----- Original Message -----
>> From: "Hans Feldt" <hans.feldt at ericsson.com>
>> To: openstack-dev at lists.openstack.org
>> Sent: Thursday, August 20, 2015 10:40:28 PM
>> Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple	keystone endpoints
>>
>> How do you configure/use keystonemiddleware for a specific identity endpoint
>> among several?
>>
>> In an OPNFV multi region prototype I have keystone endpoints per region. I
>> would like
>> keystonemiddleware (in context of glance-api) to use the local keystone for
>> performing user token
>> validation. Instead keystonemiddleware seems to use the first listed keystone
>> endpoint in the
>> service catalog (which could be wrong/non-optimal in most regions).
>>
>> I found this closed, related bug:
>> https://bugs.launchpad.net/python-keystoneclient/+bug/1147530
>
> Hey,
>
> There's two points to this.
>
> * If you are using an auth plugin then you're right it will just pick the first endpoint. You can look at project specific endpoints[1] so that there is only one keystone endpoint returned for the services project. I've also just added a review for this feature[2].

I am not.

> * If you're not using an auth plugin (so the admin_X options) then keystone will always use the endpoint that is configured in the options (identity_uri).

Yes for getting its own admin/service token. But for later user token validation it seems to pick 
the first identity service in the stored (?) service catalog.

By patching keystonemiddleware, _create_identity_server and the call to Adapter constructor with an 
endpoint_override parameter I can get it to use the local keystone for token validation. I am 
looking for an official way of achieving the same.

Thanks,
Hans

>
> Hope that helps,
>
> Jamie
>
>
> [1] https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst
> [2] https://review.openstack.org/#/c/216579
>
>> Thanks,
>> Hans
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>

More information about the OpenStack-dev mailing list