[openstack-dev] [Fuel][Puppet] Keystone V2/V3 service endpoints

Rich Megginson rmeggins at redhat.com
Mon Aug 10 15:14:21 UTC 2015


On 08/10/2015 07:46 AM, Matthew Mosesohn wrote:
> Sorry to everyone for bringing up this old thread, but it seems we may 
> need more openstackclient/keystone experts to settle this.
>
> I'm referring to the comments in https://review.openstack.org/#/c/207873/
> Specifically comments from Richard Megginson and Gilles Dubreuil 
> indicating openstackclient behavior for v3 keystone API.
>
>
> A few items seem to be under dispute:
> 1 - Keystone should be able to accept v3 requests at 
> http://keystone-server:5000/

I don't think so.  Keystone requires the version suffix "/v2.0" or "/v3".

> 2 - openstackclient should be able to interpret v3 requests and append 
> "v3/" to OS_AUTH_URL=http://keystone-server.5000/ or rewrite the URL 
> if it is set as OS_AUTH_URL=http://keystone-server.5000/

It does, if it can determine from the given authentication arguments if 
it can do v3 or v2.0.

> 3 - All deployments require /etc/keystone/keystone.conf with a token 
> (and not simply use openrc for creating additional endpoints, users, 
> etc beyond keystone itself and an admin user)

No.  What I said about this issue was "Most people using 
puppet-keystone, and realizing Keystone resources on nodes that are not 
the Keystone node, put a /etc/keystone/keystone.conf on that node with 
the admin_token in it."

That doesn't mean the deployment requires /etc/keystone/keystone.conf.  
It should be possible to realize Keystone resources on non-Keystone 
nodes by using ENV or openrc or other means.

>
> I believe it should be possible to set v2.0 keystone OS_AUTH_URL in 
> openrc and puppet-keystone + puppet-openstacklib should be able to 
> make v3 requests sensibly by manipulating the URL.

Yes.  Because for the puppet-keystone resource providers, they are coded 
to a specific version of the api, and therefore need to be able to 
set/override the OS_IDENTITY_API_VERSION and the version suffix in the URL.

> Additionally, creating endpoints/users/roles shouldbe possible via 
> openrc alone.

Yes.

> It's not possible to write single node tests that can demonstrate this 
> functionality, which is why it probably went undetected for so long.

And since this is supported, we need tests for this.
>
> If anyone can speak up on these items, it could help influence the 
> outcome of this patch.
>
> Thank you for your time.
>
> Best Regards,
> Matthew Mosesohn
>
> On Fri, Jul 31, 2015 at 6:32 PM, Rich Megginson <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     On 07/31/2015 07:18 AM, Matthew Mosesohn wrote:
>
>         Jesse, thanks for raising this. Like you, I should just track
>         upstream
>         and wait for full V3 support.
>
>         I've taken the quickest approach and written fixes to
>         puppet-openstacklib and puppet-keystone:
>         https://review.openstack.org/#/c/207873/
>         https://review.openstack.org/#/c/207890/
>
>         and again to Fuel-Library:
>         https://review.openstack.org/#/c/207548/1
>
>         I greatly appreciate the quick support from the community to
>         find an
>         appropriate solution. Looks like I'm just using a weird edge case
>         where we're creating users on a separate node from where
>         keystone is
>         installed and it never got thoroughly tested, but I'm happy to fix
>         bugs where I can.
>
>
>     Most puppet deployments either realize all keystone resources on
>     the keystone node, or drop an /etc/keystone/keystone.conf with
>     admin token onto non-keystone nodes where additional keystone
>     resources need to be realized.
>
>
>
>         -Matthew
>
>         On Fri, Jul 31, 2015 at 3:54 PM, Jesse Pretorius
>         <jesse.pretorius at gmail.com <mailto:jesse.pretorius at gmail.com>>
>         wrote:
>
>             With regards to converting all services to use Keystone v3
>             endpoints, note
>             the following:
>
>             1) swift-dispersion currently does not support consuming
>             Keystone v3
>             endpoints [1]. There is a patch merged to master [2] to
>             fix that, but a
>             backport to kilo is yet to be done.
>             2) Each type (internal, admin, public) of endpoint created
>             with the Keystone
>             v3 API has its own unique id, unlike with the v2 API where
>             they're all
>             created with a single ID. This results in the keystone
>             client being unable
>             to read the catalog created via the v3 API when querying
>             via the v2 API. The
>             solution is to use the openstack client and to use the v3
>             API but this
>             obviously needs to be noted for upgrade impact and operators.
>             3) When glance is setup to use swift as a back-end,
>             glance_store is unable
>             to authenticate to swift when the endpoint it uses is a v3
>             endpoint. There
>             is a review to master in progress [3] to fix this which is
>             unlikely to make
>             it into kilo.
>
>             We (the openstack-ansible/os-ansible-deployment project)
>             are tracking these
>             issues and doing tests to figure out all the bits. These
>             are the bugs we've
>             hit so far. Also note that there is a WIP patch to gate
>             purely on Keystone
>             v3 API's which is planned to become voting (hopefully) by
>             the end of this
>             cycle.
>
>             [1] https://bugs.launchpad.net/swift/+bug/1468374
>             [2] https://review.openstack.org/195131
>             [3] https://review.openstack.org/193422
>
>             __________________________________________________________________________
>             OpenStack Development Mailing List (not for usage questions)
>             Unsubscribe:
>             OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>             <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>             http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>         __________________________________________________________________________
>         OpenStack Development Mailing List (not for usage questions)
>         Unsubscribe:
>         OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>         <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>         http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150810/39959af4/attachment.html>


More information about the OpenStack-dev mailing list