[openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Jamie Lennox jamielennox at gmail.com
Wed Jun 21 01:15:38 UTC 2017

On 16 June 2017 at 00:44, Mikhail Fedosin <mfedosin at gmail.com> wrote:

> Thanks György!
> On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <gyorgy.szombathelyi@
> doclerholding.com> wrote:
>> Hi Mikhail,
>> (I'm not from the Keystone team, but did some patches for using
>> keystonauth1).
>> >
>> > 2. Even if auth_url is set, it can't be used later, because it is not
>> registered in
>> > oslo_config [5]
>> auth_url is actually a dynamic parameter and depends on the keystone auth
>> plugin used
>> (auth_type=xxx). The plugin which needs this parameter, registers it.
> Based on this http://paste.openstack.org/show/612664/ I would say that
> the plugin doesn't register it :(
> It either can be a bug, or it was done intentionally, I don't know.
>> >
>> > So I would like to get an advise from keystone team and understand what
>> I
>> > should do in such cases. Official documentation doesn't add clarity on
>> the
>> > matter because it recommends to use auth_uri in some cases and auth_url
>> in
>> > others.
>> > My suggestion is to add auth_url in the list of keystone authtoken
>> > middleware config options, so that the parameter can be used by the
>> others.
>> Yepp, this makes some confusion, but adding auth_url will make a clash
>> with
>> most (all?) authentication plugins. auth_url can be considered as an
>> 'internal'
>> option for the keystoneauth1 modules, and not used by anything else (like
>> the keystonemiddleware itself). However if there would be a more elagant
>> solution, I would also hear about it.
>> >
>> > Best,
>> > Mike
>> >
>> Br,
>> György
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> My final thought that we have to use both (auth_url and auth_uri) options
> in mistral config, which looks ugly, but necessary.
> Best,
> Mike
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

I feel like the question has been answered in the thread, but as i'm
largely responsible for this I thought i'd pipe up here.

It's annoying and unfortunate that auth_uri and auth_url look so similar.
They've actually existed for some time side by side and ended up like that
out of evolution rather that any thought. Interestingly the first result
for auth_uri in google is [1]. I'd be happy to rename it for something else
if we can agree on what.

Regarding your paste (and the reason i popped up), i would consider this a
bug in mistral. The auth options aren't registered into oslo.config until
just before the plugin is loaded because depending on what you put in for
auth_type the options may be different. In practice pretty much every
plugin has an auth_url, but mistral shouldn't be assuming anything about
the structure of [keystone_authtoken]. That's the sole responsibility of
keystonemiddleware and it does change over time.


[1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170621/f79bd4c3/attachment.html>

More information about the OpenStack-dev mailing list