[openstack-dev] [Fuel] wrong network for keystone endpoint in 6.1 ?

Andrew Woodward xarses at gmail.com
Thu Jul 9 23:03:53 UTC 2015


The is the expected, although security conservative approach to admin
endpoints in fuel, it does pretty much block all actions in keystone other
then auth from outside the cluster. It pre-dates me, and fuel 3.0.1; my
understanding of the intent here is that we don't want a compromise to
result in all kinds of accounts being created.

On Thu, Jul 9, 2015 at 3:35 PM Stanislaw Bogatkin <sbogatkin at mirantis.com>
wrote:

> Hi Daniel,
>
> answer is no - actually there is no strong dependency between public and
> internal/admin endpoints. In your case keystone client ask keystone on
> address 10.52.71.39 (which, I think, was provided by system
> variable OS_AUTH_URL), auth on it and then keystone give endpoints list to
> client. Client selected admin endpoint from this list (192.168.20.3
> address) and tried to get information you asked. It's a normal behavior.
>
> So, in Fuel by default we have 3 different endpoints for keystone - public
> on public VIP, port 5000; internal on management VIP, port 5000, admin on
> management VIP, port 35357.
>
> On Thu, Jul 9, 2015 at 4:59 PM, Daniel Comnea <comnea.dani at gmail.com>
> wrote:
>
>> Hi,
>>
>> I'm running Fuel 6.1 and i've seen an interesting behavior which i think
>> match bug [1]
>>
>> Basically the adminUrl & publicUrl part of keystone endpoint are
>> different
>>
>> And the result of that is that you can't run keystone cli - i.e
>> create/list tenants etc
>>
>> keystone --debug tenant-list
>> /usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>> DeprecationWarning: The keystone CLI is deprecated in favor of python-
>> openstackclient. For a Python library, continue using python-keys
>> toneclient.
>>   'python-keystoneclient.', DeprecationWarning)
>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>> http://10.20.71.39:5000/v2.0/tokens
>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>> connection (1): 10.52.71.39
>> DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens
>> HTTP/1.1" 200 3709
>> DEBUG:keystoneclient.session:REQ: curl -g -i -X GET
>> http://192.168.20.3:35357/v2.0/tenants -H "User-Agent: python-
>> keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
>> {SHA1}cc918b89c2dca563edda43e01964b1f1979c552b"
>>
>> shouldn't adminURL = publicURL = br-ex for keystone?
>>
>>
>> Dani
>>
>>
>> [1] https://bugs.launchpad.net/fuel/+bug/1441855
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

--

Andrew Woodward

Mirantis

Fuel Community Ambassador

Ceph Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150709/ff055d9d/attachment.html>


More information about the OpenStack-dev mailing list