<html><body><p>There are a few factors at play here:<br><br>1) Your auth_url is unversioned (meaning it doesn't have the dangly bit of /v2.0 or /v3)<br>2) os-api-version isn't a thing, so it's not even being used (you probably want os-identity-api-version), as a result, osc will use v2.0 keystone APIs<br><br>osc noticed you had used a user domain name and project domain name, so it was smart enough to perform a v3 auth request (this is shown with the POST to /v3/auth/tokens)<br><br>once you have the token, osc will call the v2.0 APIs for the command (project list), which is only supported on the 'admin' port, by default it's 35357. more info on that here: <a href="http://developer.openstack.org/api-ref-identity-admin-v2.html">http://developer.openstack.org/api-ref-identity-admin-v2.html</a><br><br>Basically, I think you really want to set os-identity-api-version instead of os-api-version.<br><br>Thanks,<br><br>Steve Martinelli<br>OpenStack Keystone Core<br><br><img width="16" height="16" src="cid:1__=8FBBF450DFB340068f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Timothy Symanczyk ---2015/09/16 05:41:35 PM---Hi All, While intending to direct requests from the ope"><font color="#424282">Timothy Symanczyk ---2015/09/16 05:41:35 PM---Hi All, While intending to direct requests from the openstack client to the public endpoint of my ke</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Timothy Symanczyk <Timothy_Symanczyk@symantec.com></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">openstack <openstack@lists.openstack.org></font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">2015/09/16 05:41 PM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">[Openstack] [OpenStack][Keystone][OpenStackClient] Switching to admin endpoint mid request, how / why?</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><font face="Calibri">Hi All,</font><br><br><font face="Calibri">While intending to direct requests from the openstack client to the public endpoint of my keystone instance, it seems as though after initial authentication the client gives subsequent requests to the admin endpoint. Is there a setting somewhere that I’ve missed either client or server side where the entire request could be done through the public endpoint? My install/config is the all-in-one devstack using master. Absolutely no local changes.</font><br><br><font face="Calibri">Marked-up copy paste :</font><ul><ul><br><font size="2">timothy_symanczyk@community:~$ source ./becomeDemo.sh </font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">USER_DOMAIN_NAME=Default</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">PROJECT_NAME=demo</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">PASSWORD=stack</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">API_VERSION=3</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">AUTH_URL=http://192.168.207.21:5000/</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">USERNAME=demo</font><br><b><font size="2" color="#C33720">OS_</font></b><font size="2">PROJECT_DOMAIN_NAME=Default</font><br></ul></ul><b><font face="Calibri">Auth URL explicitly specified as the public :5000 endpoint.</font></b><ul><ul><br><font size="2">timothy_symanczyk@community:~$ openstack --debug project show demo</font><br><font size="2">DEBUG: openstackclient.shell options: Namespace(auth_type='', auth_url='http://192.168.207.21:5000/', cacert='', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, log_file=None, os_compute_api_version='2', os_identity_api_version='2', os_image_api_version='1', os_network_api_version='2', os_object_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='1', password='stack', project_domain_id='', project_domain_name='Default', project_id='', project_name='demo', region_name='', service_provider_endpoint='', timing=False, token='', trust_id='', url='', user_domain_id='', user_domain_name='Default', user_id='', username='demo', verbose_level=3, verify=None)</font><br><font size="2">DEBUG: openstackclient.shell defaults: {'auth_type': 'osc_password', 'compute_api_version': '2', 'database_api_version': '1.0', 'api_timeout': None, 'baremetal_api_version': '1', 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'network_api_version': '2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'disable_vendor_agent': {}}</font><br><font size="2">DEBUG: openstackclient.shell cloud cfg: {'auth_type': 'osc_password', 'compute_api_version': '2', 'database_api_version': '1.0', 'timing': False, 'network_api_version': '2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'verbose_level': 3, 'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1', 'auth': {'username': 'demo', 'project_name': 'demo', 'tenant_name': 'demo', 'user_domain_name': 'Default', 'auth_url': 'http://192.168.207.21:5000/', 'password': 'stack', 'project_domain_name': 'Default'}, 'default_domain': 'default', 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'deferred_help': False, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'debug': True, 'disable_vendor_agent': {}}</font><br><font size="2">DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2</font><br><font size="2">DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2</font><br><font size="2">DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1</font><br><font size="2">DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1</font><br><font size="2">DEBUG: openstackclient.shell identity API version 2, cmd group openstack.identity.v2</font><br><font size="2">DEBUG: openstackclient.shell object_store API version 1, cmd group openstack.object_store.v1</font><br><font size="2">INFO: openstackclient.shell command: project show -> openstackclient.identity.v2_0.project.ShowProject</font><br><font size="2">DEBUG: openstackclient.api.auth Auth plugin osc_password selected</font><br><font size="2">DEBUG: openstackclient.api.auth auth_type: osc_password</font><br><font size="2">INFO: openstackclient.common.clientmanager Using auth plugin: osc_password</font><br><font size="2">DEBUG: openstackclient.common.clientmanager Using parameters {'username': 'demo', 'project_name': 'demo', 'auth_url': 'http://192.168.207.21:5000/', 'tenant_name': 'demo', 'user_domain_name': 'Default', 'password': 'stack', 'project_domain_name': 'Default'}</font><br><font size="2">DEBUG: openstackclient.common.clientmanager Get auth_ref</font><br><font size="2">DEBUG: keystoneclient.session REQ: curl -g -i -X GET </font><font size="2"><a href="http://192.168.207.21:5000/">http://192.168.207.21:5000/</a></font><font size="2"> -H "Accept: application/json" -H "User-Agent: python-openstackclient"</font><br><font size="2">INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21</font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 597</font><br><font size="2">DEBUG: keystoneclient.session RESP: [300] content-length: 597 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json </font><br><font size="2">RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "</font><font size="2"><a href="http://192.168.207.21:5000/v3/">http://192.168.207.21:5000/v3/</a></font><font size="2">", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "</font><font size="2"><a href="http://192.168.207.21:5000/v2.0/">http://192.168.207.21:5000/v2.0/</a></font><font size="2">", "rel": "self"}, {"href": "</font><font size="2"><a href="http://docs.openstack.org/">http://docs.openstack.org/</a></font><font size="2">", "type": "text/html", "rel": "describedby"}]}]}}</font><br><br><font size="2">DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to </font><font size="2"><a href="http://192.168.207.21:5000/v3/auth/tokens">http://192.168.207.21:5000/v3/auth/tokens</a></font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915</font><br><font size="2">DEBUG: openstackclient.identity.v2_0.project.ShowProject take_action(Namespace(columns=[], formatter='table', max_width=0, prefix='', project='demo', variables=[]))</font><br><font size="2">DEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'></font><br><font size="2">DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to </font><font size="2"><a href="http://192.168.207.21:5000/v3/auth/tokens">http://192.168.207.21:5000/v3/auth/tokens</a></font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915</font><br></ul></ul><b><font face="Calibri">Everything above here appears to use the public :5000 endpoint, and then everything after here appears to use the admin :35357 endpoint.</font></b><ul><ul><br><font size="2">DEBUG: keystoneclient.session REQ: curl -g -i -X GET </font><font size="2"><a href="http://192.168.207.21:35357/">http://192.168.207.21:35357/</a></font><font size="2"> -H "Accept: application/json" -H "User-Agent: python-openstackclient"</font><br><font size="2">INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21</font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 599</font><br><font size="2">DEBUG: keystoneclient.session RESP: [300] content-length: 599 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json </font><br><font size="2">RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "</font><font size="2"><a href="http://192.168.207.21:35357/v3/">http://192.168.207.21:35357/v3/</a></font><font size="2">", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "</font><font size="2"><a href="http://192.168.207.21:35357/v2.0/">http://192.168.207.21:35357/v2.0/</a></font><font size="2">", "rel": "self"}, {"href": "</font><font size="2"><a href="http://docs.openstack.org/">http://docs.openstack.org/</a></font><font size="2">", "type": "text/html", "rel": "describedby"}]}]}}</font><br><font size="2">DEBUG: keystoneclient.session REQ: curl -g -i -X GET </font><font size="2"><a href="http://192.168.207.21:35357/v2.0/tenants/demo">http://192.168.207.21:35357/v2.0/tenants/demo</a></font><font size="2"> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"</font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants/demo HTTP/1.1" 403 179</font><br><font size="2">DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=99 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-900925a9-bbe6-4deb-a50c-6d496681503b </font><br><font size="2">RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}</font><br><font size="2">DEBUG: keystoneclient.session Request returned failure status: 403</font><br><font size="2">DEBUG: keystoneclient.session REQ: curl -g -i -X GET </font><font size="2"><a href="http://192.168.207.21:35357/v2.0/tenants">http://192.168.207.21:35357/v2.0/tenants</a></font><font size="2"> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a"</font><br><font size="2">DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants HTTP/1.1" 403 179</font><br><font size="2">DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=98 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-336ef5dc-1f46-4cde-946a-ba91415b5d57 </font><br><font size="2">RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}}</font><br><font size="2">DEBUG: keystoneclient.session Request returned failure status: 403</font><br><font size="2">+---------+----------------------------------+</font><br><font size="2">| Field | Value |</font><br><font size="2">+---------+----------------------------------+</font><br><font size="2">| enabled | True |</font><br><font size="2">| id | 20f42190a63c443e9209d2bc576b14e4 |</font><br><font size="2">| name | demo |</font><br><font size="2">+---------+----------------------------------+</font><br><font size="2">DEBUG: openstackclient.shell clean_up ShowProject: </font><br><font size="2">timothy_symanczyk@community:~$</font><br></ul></ul><br><font face="Calibri">Any help or insight greatly appreciated.</font><br><br><font face="Calibri">Tim</font><tt>_______________________________________________<br>Mailing list: </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br>Post to : openstack@lists.openstack.org<br>Unsubscribe : </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br></tt><br><br><BR>
</body></html>