[openstack-dev] [keystone] [nova] keystonauth catalog work arounds hiding transition issues

Morgan Fainberg morgan.fainberg at gmail.com
Mon Feb 27 15:22:49 UTC 2017

On Mon, Feb 27, 2017 at 5:56 AM, Sean Dague <sean at dague.net> wrote:

> We recently implemented a Nova feature around validating that project_id
> for quotas we real in keystone. After that merged, trippleo builds
> started to fail because their undercloud did not specify the 'identity'
> service as the unversioned endpoint.
> https://github.com/openstack/nova/blob/8b498ce199ac4acd94eb33a7f47c05
> ee0c743c34/nova/api/openstack/identity.py#L34-L36
> - (code merged in Nova).
> After some debug, it was clear that '/v2.0/v3/projects/...' was what was
> being called. And after lots of conferring in the Keystone room, we
> definitely made sure that the code in question was correct. The thing I
> wanted to do was make the failure more clear.
> The suggestion was made to use the following code approach:
> https://review.openstack.org/#/c/438049/6/nova/api/openstack/identity.py
>         resp = sess.get('/projects/%s' % project_id,
>                         endpoint_filter={
>                             'service_type': 'identity',
>                             'version': (3, 0)
>                         },
>                         raise_exc=False)
> However, I tested that manually with an identity =>
> http://............/v2.0 endpoint, and it passes. Which confused me.
> Until I found this -
> https://github.com/openstack/keystoneauth/blob/
> 3364703d3b0e529f7c1b7d1d8ea81726c4f5f121/keystoneauth1/discover.py#L313
> keystonauth is specifically coding around the keystone transition from a
> versioned /v2.0 endpoint to an unversioned one.....
> While that is good for the python ecosystem using it, it's actually
> *quite* bad for the rest of our ecosystem (direct REST, java, ruby, go,
> js, php), because it means that all other facilities need the same work
> around. I actually wonder if this is one of the in the field reasons for
> why the transition from v2 -> v3 is going slow. That's actually going to
> potentially break a lot of software.
> It feels like this whole discovery version hack bit should be removed -
> https://review.openstack.org/#/c/438483/. It also feels like a migration
> path for non python software in changing the catalog entries needs to be
> figured out as well.
> I think on the Nova side we need to go back to looking for bogus
> endpoint because we don't want issues like this hidden from us.
I agree we should kill the discovery hack, however that is a break in the
keystoneauth contract. Simply put, we cannot. Keystoneauth is one of the
few things (similar to how shade works) where behavior, exposed elements,
etc are considered a strict contract that will not change. If we could have
avoided stevedore and PBR we would have.

The best we can provide is a way to build the instances from keystoneauth
that does not include that hack.

The short is, we can't remove it. Similar to how we cannot change the raise
of exceptions for non-200 responses (the behavior is already encoded).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170227/157bab44/attachment.html>

More information about the OpenStack-dev mailing list