[openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Brant Knudson blk at acm.org
Fri Jun 16 15:38:14 UTC 2017


On Thu, Jun 15, 2017 at 1:12 PM, Harry Rybacki <hrybacki at redhat.com> wrote:

> On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson <blk at acm.org> wrote:
> >
> >
> > On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin <mfedosin at gmail.com>
> wrote:
> >>
> >> Recently I decided to remove deprecated parameters from
> keystone_authtoken
> >> mistral config and replace them with recommended function of devstack
> [1].
> >> In doing so, I discovered a strange behavior of configuration
> mechanism, and
> >> specifically parameters auth_uri and auth_url.
> >>
> >> 1. The parameter auth_url is not included in the list of the middleware
> >> parameters, there is auth_uri only [2]. Nevertheless, it must be
> present,
> >> because it's required by identity plugin [3]. Attempts to remove or
> replace
> >> it with the recommended auth_uri result with these stacktraces [4]
> >>
> >> 2. Even if auth_url is set, it can't be used later, because it is not
> >> registered in oslo_config [5]
> >>
> >> So I would like to get an advise from keystone team and understand what
> I
> >> should do in such cases. Official documentation doesn't add clarity on
> the
> >> matter because it recommends to use auth_uri in some cases and auth_url
> in
> >> others.
> >
> >
> > While to a human auth_uri and auth_url might look very similar they're
> > treated completely differently by auth_token / keystoneauth. One doesn't
> > replace the other in any way. So it shouldn't be surprising that
> > documentation would say to use auth_uri for one thing and auth_url for
> > something else.
> >
> In this case it's probably worth filing a docs bug against Keystone.
> If one person is confused by this, others likely are or will be.
>
> - Harry
>
>
I created a bug against keystonemiddleware:
https://bugs.launchpad.net/keystonemiddleware/+bug/1698401 . HTH.

- Brant


> >  - Brant
> >
> >
> >>
> >> My suggestion is to add auth_url in the list of keystone authtoken
> >> middleware config options, so that the parameter can be used by the
> others.
> >>
> >> Best,
> >> Mike
> >>
> >> [1] https://review.openstack.org/#/c/473796/
> >> [2]
> >> https://github.com/openstack/keystonemiddleware/blob/
> master/keystonemiddleware/auth_token/_opts.py#L31
> >> [3]
> >> https://github.com/openstack/keystoneauth/blob/master/
> keystoneauth1/loading/identity.py#L37
> >> [4] http://paste.openstack.org/show/612662/
> >> [5] http://paste.openstack.org/show/612664/
> >>
> >> ____________________________________________________________
> ______________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> > ____________________________________________________________
> ______________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170616/1233a2c3/attachment.html>


More information about the OpenStack-dev mailing list