
<div dir="ltr">The is the expected, although security conservative approach to admin endpoints in fuel, it does pretty much block all actions in keystone other then auth from outside the cluster. It pre-dates me, and fuel 3.0.1; my understanding of the intent here is that we don't want a compromise to result in all kinds of accounts being created.<br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jul 9, 2015 at 3:35 PM Stanislaw Bogatkin <<a href="mailto:sbogatkin@mirantis.com">sbogatkin@mirantis.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Daniel,<div><br></div><div>answer is no - actually there is no strong dependency between public and internal/admin endpoints. In your case keystone client ask keystone on address <span style="font-size:12.8000001907349px">10.52.71.39 (which, I think, was provided by system variable OS_AUTH_URL), auth on it and then keystone give endpoints list to client. Client selected admin endpoint from this list (192.168.20.3 address) and tried to get information you asked. It's a normal behavior.</span></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><span style="font-size:12.8000001907349px">So, in Fuel by default we have 3 different endpoints for keystone - public on public VIP, port 5000; internal on management VIP, port 5000, admin on management VIP, port 35357.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 9, 2015 at 4:59 PM, Daniel Comnea <span dir="ltr"><<a href="mailto:comnea.dani@gmail.com" target="_blank">comnea.dani@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>I'm running Fuel 6.1 and <span>i've</span> seen an interesting behavior which i think match bug [1]<br><br></div>Basically the <span>adminUrl</span> & <span>publicUrl</span> part of keystone endpoint are different<br><br></div>And the result of that is that you can't run keystone <span>cli</span> - i.e create/list tenants etc<br><br>keystone --debug tenant-list<br>/<span>usr</span>/local/lib/python2.7/site-packages/<span>keystoneclient</span>/shell.<span>py</span>:65: <span>DeprecationWarning</span>: The keystone <span>CLI</span> is deprecated in favor of python-<span>openstackclient</span>. For a Python library, continue using python-keys<br><span>toneclient</span>.<br>  'python-<span>keystoneclient</span>.', <span>DeprecationWarning</span>)<br>DEBUG:<span>keystoneclient</span>.<span>auth</span>.identity.v2:Making authentication request to <a href="http://10.20.71.39:5000/v2.0/tokens" target="_blank">http://10.20.71.39:5000/v2.0/tokens</a><br>INFO:requests.packages.urllib3.<span>connectionpool</span>:Starting new HTTP connection (1): 10.52.71.39<br>DEBUG:requests.packages.urllib3.<span>connectionpool</span>:"POST /v2.0/tokens HTTP/1.1" 200 3709<br>DEBUG:<span>keystoneclient</span>.session:<span>REQ</span>: curl -g -i -X GET <a href="http://192.168.20.3:35357/v2.0/tenants" target="_blank">http://192.168.20.3:35357/v2.0/tenants</a> -H "User-Agent: python-<span>keystoneclient</span>" -H "Accept: application/<span>json</span>" -H "X-<span>Auth</span>-Token: {SHA1}cc918b89c2dca563edda43e01964b1f1979c552b"<br><br><div>shouldn't <span>adminURL</span> = <span>publicURL</span> = <span>br</span>-ex for keystone?<br></div><div><br><br></div><div>Dani<br></div><br><br>[1] <a href="https://bugs.launchpad.net/fuel/+bug/1441855" target="_blank">https://bugs.launchpad.net/fuel/+bug/1441855</a></div>

<br>__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

<br></blockquote></div><br></div>

__________________________________________________________________________<br>

OpenStack Development Mailing List (not for usage questions)<br>

Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>

<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

</blockquote></div><div dir="ltr">-- <br></div><div dir="ltr"><p dir="ltr">--</p><p dir="ltr"><span style="font-size:13.1999998092651px">Andrew Woodward</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Mirantis</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Fuel Community Ambassador</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Ceph Community</span></p>

</div>