[openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints

joehuang joehuang at huawei.com
Sat Aug 29 01:53:03 UTC 2015


Hello, Jamie,

I hope I am wrong :) 

One comment for your patch.

using region name to filter the endpoint for the token validation may not work if "no-catalog" is configured in keystone server. "include_service_catalog = True	(BoolOpt) (Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header."


Best Regards
Chaoyi Huang ( Joe Huang )


-----Original Message-----
From: Jamie Lennox [mailto:jamielennox at redhat.com] 
Sent: Tuesday, August 25, 2015 3:38 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints



----- Original Message -----
> From: "Hans Feldt" <hans.feldt at ericsson.com>
> To: openstack-dev at lists.openstack.org
> Sent: Thursday, August 20, 2015 10:40:28 PM
> Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple	keystone endpoints
> 
> How do you configure/use keystonemiddleware for a specific identity 
> endpoint among several?
> 
> In an OPNFV multi region prototype I have keystone endpoints per 
> region. I would like keystonemiddleware (in context of glance-api) to 
> use the local keystone for performing user token validation. Instead 
> keystonemiddleware seems to use the first listed keystone endpoint in 
> the service catalog (which could be wrong/non-optimal in most 
> regions).
> 
> I found this closed, related bug:
> https://bugs.launchpad.net/python-keystoneclient/+bug/1147530

Hey, 

There's two points to this. 

* If you are using an auth plugin then you're right it will just pick the first endpoint. You can look at project specific endpoints[1] so that there is only one keystone endpoint returned for the services project. I've also just added a review for this feature[2].
* If you're not using an auth plugin (so the admin_X options) then keystone will always use the endpoint that is configured in the options (identity_uri).

Hope that helps,

Jamie


[1] https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst
[2] https://review.openstack.org/#/c/216579

> Thanks,
> Hans
> 
> ______________________________________________________________________
> ____ OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list