<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 10/26/2017 08:10 AM, Andy Wojnarek
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9DF5DE1A-F47A-469F-8BE5-164993316C44@theatsgroup.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Is it
possible to have both v2.0 and v3 endpoints for Keystone?
I’m trying to integrate a backup software into Swift, and it
requires Keystone 2.0. I added the new endpoints fine, but
I’m getting authentication/authorization errors:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:11.0pt">My
Endpoints<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt">gvicopnstk01:~
# openstack endpoint list | grep -i identity<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
08b3ba7072ed44df9e7c90e99f8e71d9 | regionOne | keystone
| identity | True | internal |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:35357/v2.0">http://gvicopnstk01:35357/v2.0</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
55d52d6b6cb34d33979cd3c083416d44 | RegionOne | keystone
| identity | True | internal |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:5000/v3/">http://gvicopnstk01:5000/v3/</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
6b5958647c1744a78657f2c8089ee97d | RegionOne | keystone
| identity | True | admin |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:35357/v3/">http://gvicopnstk01:35357/v3/</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
70c939d2248f4845b1d0c9e8b7c7cf09 | regionOne | keystone
| identity | True | admin |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:35357/v2.0">http://gvicopnstk01:35357/v2.0</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
7e4d1c794ed1432ca28ea60b947fdc7a | RegionOne | keystone
| identity | True | public |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:5000/v3/">http://gvicopnstk01:5000/v3/</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">|
f46214dc916947d7a557a2e1b9dc65ca | regionOne | keystone
| identity | True | public |
<a class="moz-txt-link-freetext" href="http://gvicopnstk01:5000/v2.0">http://gvicopnstk01:5000/v2.0</a> |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:11.0pt">Using
v2.0 AUTH_URL<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt">gvicopnstk01:~
# export OS_AUTH_URL=<a class="moz-txt-link-freetext" href="http://gvicopnstk01:35357/v2.0">http://gvicopnstk01:35357/v2.0</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">gvicopnstk01:~
# swift stat<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Authorization
Failure. Authorization failed:
(<a class="moz-txt-link-freetext" href="http://gvicopnstk01:35357/v2.0/auth/tokens">http://gvicopnstk01:35357/v2.0/auth/tokens</a>): The resource
could not be found. (HTTP 404) (Request-ID:
req-ff14bc2d-dbbd-41ed-b81e-73c9397ea1d0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">gvicopnstk01:~
# openstack endpoint list<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Cannot use
v2 authentication with domain scope<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
This is resulting in a 404 Not Found because the authentication
endpoint changed from v2.0 to v3. For v2.0 it is /v2.0/tokens/ and
for v3 it's /v3/auth/tokens. Also, v2.0 doesn't have the concept of
domains. Multiple domains only really exist in the v3 API. As a
result, the v2.0 API is unable to understand or issue domain-scoped
tokens. It can also only authenticate users who are in the default
domain as defined in keystone's configuration file [0].<br>
<br>
What happens if you set ST_AUTH_VERSION=3 [1]? <br>
<br>
[0]
<a class="moz-txt-link-freetext" href="https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id">https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id</a><br>
[1]
<a class="moz-txt-link-freetext" href="https://github.com/openstack/python-swiftclient/blob/0982791db2ccb851f277ffa653065e4021e52b3f/doc/source/cli/index.rst#authentication">https://github.com/openstack/python-swiftclient/blob/0982791db2ccb851f277ffa653065e4021e52b3f/doc/source/cli/index.rst#authentication</a><br>
<br>
<blockquote type="cite"
cite="mid:9DF5DE1A-F47A-469F-8BE5-164993316C44@theatsgroup.com">
<div class="WordSection1">
<p class="MsoNormal"><b><u><span style="font-size:11.0pt">keystone-wsgi-public.log
when application tries to hit 2.0 endpoint<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:43:59.255 21561 WARNING oslo_log.versionutils
[req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -]
Deprecated: authenticate of the v2 Authentication APIs is
deprecated as of Mitaka in favor of a similar function in
the v3 Authentication APIs and may be removed in T.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:43:59.714 21561 WARNING keystone.common.wsgi
[req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -]
Authorization failed. The request you have made requires
authentication. from 192.168.241.121: Unauthorized: The
request you have made requires authentication.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:44:04.728 21558 INFO keystone.common.wsgi
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] POST
<a class="moz-txt-link-freetext" href="http://192.168.241.114:5000/v2.0/tokens">http://192.168.241.114:5000/v2.0/tokens</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:44:04.729 21558 WARNING oslo_log.versionutils
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -]
Deprecated: authenticate of the v2 Authentication APIs is
deprecated as of Mitaka in favor of a similar function in
the v3 Authentication APIs and may be removed in T.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:44:05.185 21558 WARNING keystone.common.wsgi
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -]
Authorization failed. The request you have made requires
authentication. from 192.168.241.121: Unauthorized: The
request you have made requires authentication.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">2017-10-26
08:52:34.534 21557 INFO keystone.common.wsgi
[req-fa71683e-d4a3-4656-8eea-421caa10f841 - - - - -] POST
<a class="moz-txt-link-freetext" href="http://192.168.241.114:5000/v2.0/tokens">http://192.168.241.114:5000/v2.0/tokens</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">When the
application tried with v3 it just bombed out, after I added
the v2.0 endpoints it connects but says invalid
username/password and it fails.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Do I need to
now instruct Swift to use the v2.0 endpoint inside
swift.conf?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:11.0pt">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:11.0pt">Andrew Wojnarek | Sr. Systems
Engineer | ATS Group, LLC<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span
style="font-size:11.0pt">mobile 717.856.6901 | <a
href="mailto:andy.wojnarek@TheATSGroup.com"
moz-do-not-send="true"><span style="color:#0000E9">andy.wojnarek@TheATSGroup.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><a
href="http://galileosuite.com/blog/"
moz-do-not-send="true"><b><span
style="font-size:7.0pt;font-family:"Verdana",sans-serif;color:#6B006D">Galileo
Performance Explorer Blog</span></b></a></span><b><span
style="font-size:7.0pt;font-family:"Verdana",sans-serif;color:#535187"> Offers
Deep Insights for Server/Storage Systems</span></b><o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-operators mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-operators@lists.openstack.org">OpenStack-operators@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</blockquote>
<br>
</body>
</html>