<p dir="ltr">One simple workaround for this if you ssh directly to your Keystone node and run the admin commands from there. Once you bootstrap your project with the proper tenants and users it's not an operation that most people do all that often. We expose an admin endpoint on an internal load balancer URL but not publicly. You could always consider that, so that VPN access is required to make admin calls.</p>
<div class="gmail_quote">On Oct 20, 2015 5:25 PM, "James Denton" <<a href="mailto:james.denton@rackspace.com">james.denton@rackspace.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Jason,<br>
<br>
Certain commands can only be executed via admin url, which in your case may not be routable from external networks. You would need to consider changing the admin endpoint to an ip/FQDN that can be accessed externally (like public url) or limit the ability to execute those particular commands to internal clients only that can hit the existing admin url. This is an architectural decision you'll have to make that may impact security.<br>
<br>
James<br>
<br>
Sent from my iPhone<br>
<br>
> On Oct 20, 2015, at 6:04 PM, Sesso <<a href="mailto:sesso@djsesso.com">sesso@djsesso.com</a>> wrote:<br>
><br>
> I have this below.<br>
><br>
> publicurl | internalurl | adminurl<br>
> <a href="https://public.domain.com:5000/v2.0" rel="noreferrer" target="_blank">https://public.domain.com:5000/v2.0</a> | <a href="http://192.168.0.2:5000/v2.0" rel="noreferrer" target="_blank">http://192.168.0.2:5000/v2.0</a> | <a href="http://192.168.0.2:35357/v2.0" rel="noreferrer" target="_blank">http://192.168.0.2:35357/v2.0</a><br>
><br>
><br>
> The module is trying to access <a href="http://192.168.0.2:35357/v2.0" rel="noreferrer" target="_blank">http://192.168.0.2:35357/v2.0</a> it seems but it will say connection time out.<br>
><br>
> I can access the public URL<br>
><br>
> But on create tenant, it replies with connection time out at the admin url.<br>
><br>
><br>
> Jason<br>
><br>
>> On Oct 20, 2015, at 2:58 PM, Abel Lopez <<a href="mailto:alopgeek@gmail.com">alopgeek@gmail.com</a>> wrote:<br>
>><br>
>> You should have your public endpoints be externally reachable.<br>
>><br>
>>> On Oct 20, 2015, at 2:38 PM, Sesso <<a href="mailto:sesso@djsesso.com">sesso@djsesso.com</a>> wrote:<br>
>>><br>
>>> Hello,<br>
>>><br>
>>> I am trying to use a module to automate VM deployments. I can't connect to keystone externally so it will make new tenants. What is the best route to allow access?<br>
>>> I am using kilo.<br>
>>><br>
>>> Sent from my iPhone<br>
>>> _______________________________________________<br>
>>> OpenStack-operators mailing list<br>
>>> <a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
><br>
><br>
> _______________________________________________<br>
> OpenStack-operators mailing list<br>
> <a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
</blockquote></div>