[Openstack] [OpenStack][Keystone][OpenStackClient] Switching to admin endpoint mid request, how / why?
Steve Martinelli
stevemar at ca.ibm.com
Thu Sep 17 06:05:34 UTC 2015
There are a few factors at play here:
1) Your auth_url is unversioned (meaning it doesn't have the dangly bit
of /v2.0 or /v3)
2) os-api-version isn't a thing, so it's not even being used (you probably
want os-identity-api-version), as a result, osc will use v2.0 keystone APIs
osc noticed you had used a user domain name and project domain name, so it
was smart enough to perform a v3 auth request (this is shown with the POST
to /v3/auth/tokens)
once you have the token, osc will call the v2.0 APIs for the command
(project list), which is only supported on the 'admin' port, by default
it's 35357. more info on that here:
http://developer.openstack.org/api-ref-identity-admin-v2.html
Basically, I think you really want to set os-identity-api-version instead
of os-api-version.
Thanks,
Steve Martinelli
OpenStack Keystone Core
From: Timothy Symanczyk <Timothy_Symanczyk at symantec.com>
To: openstack <openstack at lists.openstack.org>
Date: 2015/09/16 05:41 PM
Subject: [Openstack] [OpenStack][Keystone][OpenStackClient] Switching to
admin endpoint mid request, how / why?
Hi All,
While intending to direct requests from the openstack client to the public
endpoint of my keystone instance, it seems as though after initial
authentication the client gives subsequent requests to the admin endpoint.
Is there a setting somewhere that I’ve missed either client or server side
where the entire request could be done through the public endpoint? My
install/config is the all-in-one devstack using master. Absolutely no local
changes.
Marked-up copy paste :
timothy_symanczyk at community:~$ source ./becomeDemo.sh
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=demo
OS_PASSWORD=stack
OS_API_VERSION=3
OS_AUTH_URL=http://192.168.207.21:5000/
OS_USERNAME=demo
OS_PROJECT_DOMAIN_NAME=Default
Auth URL explicitly specified as the public :5000 endpoint.
timothy_symanczyk at community:~$ openstack --debug project show demo
DEBUG: openstackclient.shell options: Namespace(auth_type='',
auth_url='http://192.168.207.21:5000/', cacert='', cloud='',
debug=True, default_domain='default', deferred_help=False,
domain_id='', domain_name='', endpoint='', identity_provider='',
identity_provider_url='', insecure=None, log_file=None,
os_compute_api_version='2', os_identity_api_version='2',
os_image_api_version='1', os_network_api_version='2',
os_object_api_version='1', os_project_id=None, os_project_name=None,
os_volume_api_version='1', password='stack', project_domain_id='',
project_domain_name='Default', project_id='', project_name='demo',
region_name='', service_provider_endpoint='', timing=False, token='',
trust_id='', url='', user_domain_id='', user_domain_name='Default',
user_id='', username='demo', verbose_level=3, verify=None)
DEBUG: openstackclient.shell defaults: {'auth_type': 'osc_password',
'compute_api_version': '2', 'database_api_version': '1.0',
'api_timeout': None, 'baremetal_api_version': '1',
'image_api_use_tasks': False, 'endpoint_type': 'public',
'floating_ip_source': 'neutron', 'key': None, 'cacert': None,
'network_api_version': '2', 'object_api_version': '1',
'image_api_version': '1', 'verify': True, 'identity_api_version': '2',
'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron',
'disable_vendor_agent': {}}
DEBUG: openstackclient.shell cloud cfg: {'auth_type': 'osc_password',
'compute_api_version': '2', 'database_api_version': '1.0', 'timing':
False, 'network_api_version': '2', 'object_api_version': '1',
'image_api_version': '1', 'verify': True, 'verbose_level': 3,
'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1',
'auth': {'username': 'demo', 'project_name': 'demo', 'tenant_name':
'demo', 'user_domain_name': 'Default', 'auth_url':
'http://192.168.207.21:5000/', 'password': 'stack',
'project_domain_name': 'Default'}, 'default_domain': 'default',
'image_api_use_tasks': False, 'endpoint_type': 'public',
'floating_ip_source': 'neutron', 'key': None, 'cacert': None,
'deferred_help': False, 'identity_api_version': '2',
'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron',
'debug': True, 'disable_vendor_agent': {}}
DEBUG: openstackclient.shell compute API version 2, cmd group
openstack.compute.v2
DEBUG: openstackclient.shell network API version 2, cmd group
openstack.network.v2
DEBUG: openstackclient.shell image API version 1, cmd group
openstack.image.v1
DEBUG: openstackclient.shell volume API version 1, cmd group
openstack.volume.v1
DEBUG: openstackclient.shell identity API version 2, cmd group
openstack.identity.v2
DEBUG: openstackclient.shell object_store API version 1, cmd group
openstack.object_store.v1
INFO: openstackclient.shell command: project show ->
openstackclient.identity.v2_0.project.ShowProject
DEBUG: openstackclient.api.auth Auth plugin osc_password selected
DEBUG: openstackclient.api.auth auth_type: osc_password
INFO: openstackclient.common.clientmanager Using auth plugin:
osc_password
DEBUG: openstackclient.common.clientmanager Using parameters
{'username': 'demo', 'project_name': 'demo', 'auth_url':
'http://192.168.207.21:5000/', 'tenant_name': 'demo',
'user_domain_name': 'Default', 'password': 'stack',
'project_domain_name': 'Default'}
DEBUG: openstackclient.common.clientmanager Get auth_ref
DEBUG: keystoneclient.session REQ: curl -g -i -X GET
http://192.168.207.21:5000/ -H "Accept: application/json" -H
"User-Agent: python-openstackclient"
INFO: requests.packages.urllib3.connectionpool Starting new HTTP
connection (1): 192.168.207.21
DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300
597
DEBUG: keystoneclient.session RESP: [300] content-length: 597 vary:
X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7
(Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT
content-type: application/json
RESP BODY: {"versions": {"values": [{"status": "stable", "updated":
"2015-03-30T00:00:00Z", "media-types": [{"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4",
"links": [{"href": "http://192.168.207.21:5000/v3/", "rel": "self"}]},
{"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types":
[{"base": "application/json", "type":
"application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0",
"links": [{"href": "http://192.168.207.21:5000/v2.0/", "rel": "self"},
{"href": "http://docs.openstack.org/", "type": "text/html", "rel":
"describedby"}]}]}}
DEBUG: keystoneclient.auth.identity.v3.base Making authentication
request to http://192.168.207.21:5000/v3/auth/tokens
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens
HTTP/1.1" 201 4915
DEBUG: openstackclient.identity.v2_0.project.ShowProject take_action
(Namespace(columns=[], formatter='table', max_width=0, prefix='',
project='demo', variables=[]))
DEBUG: openstackclient.identity.client Instantiating identity client:
<class 'openstackclient.identity.client.IdentityClientv2'>
DEBUG: keystoneclient.auth.identity.v3.base Making authentication
request to http://192.168.207.21:5000/v3/auth/tokens
DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens
HTTP/1.1" 201 4915
Everything above here appears to use the public :5000 endpoint, and then
everything after here appears to use the admin :35357 endpoint.
DEBUG: keystoneclient.session REQ: curl -g -i -X GET
http://192.168.207.21:35357/ -H "Accept: application/json" -H
"User-Agent: python-openstackclient"
INFO: requests.packages.urllib3.connectionpool Starting new HTTP
connection (1): 192.168.207.21
DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300
599
DEBUG: keystoneclient.session RESP: [300] content-length: 599 vary:
X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7
(Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT
content-type: application/json
RESP BODY: {"versions": {"values": [{"status": "stable", "updated":
"2015-03-30T00:00:00Z", "media-types": [{"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4",
"links": [{"href": "http://192.168.207.21:35357/v3/", "rel":
"self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z",
"media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0",
"links": [{"href": "http://192.168.207.21:35357/v2.0/", "rel":
"self"}, {"href": "http://docs.openstack.org/", "type": "text/html",
"rel": "describedby"}]}]}}
DEBUG: keystoneclient.session REQ: curl -g -i -X GET
http://192.168.207.21:35357/v2.0/tenants/demo -H "User-Agent:
python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"
DEBUG: requests.packages.urllib3.connectionpool
"GET /v2.0/tenants/demo HTTP/1.1" 403 179
DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary:
X-Auth-Token keep-alive: timeout=5, max=99 server: Apache/2.4.7
(Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT
content-type: application/json x-openstack-request-id:
req-900925a9-bbe6-4deb-a50c-6d496681503b
RESP BODY: {"error": {"message": "You are not authorized to perform
the requested action: admin_required (Disable debug mode to suppress
these details.)", "code": 403, "title": "Forbidden"}}
DEBUG: keystoneclient.session Request returned failure status: 403
DEBUG: keystoneclient.session REQ: curl -g -i -X GET
http://192.168.207.21:35357/v2.0/tenants -H "User-Agent:
python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"
DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants
HTTP/1.1" 403 179
DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary:
X-Auth-Token keep-alive: timeout=5, max=98 server: Apache/2.4.7
(Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT
content-type: application/json x-openstack-request-id:
req-336ef5dc-1f46-4cde-946a-ba91415b5d57
RESP BODY: {"error": {"message": "You are not authorized to perform
the requested action: admin_required (Disable debug mode to suppress
these details.)", "code": 403, "title": "Forbidden"}}
DEBUG: keystoneclient.session Request returned failure status: 403
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 20f42190a63c443e9209d2bc576b14e4 |
| name | demo |
+---------+----------------------------------+
DEBUG: openstackclient.shell clean_up ShowProject:
timothy_symanczyk at community:~$
Any help or insight greatly appreciated.
Tim_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150917/22335822/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150917/22335822/attachment.gif>
More information about the Openstack
mailing list
