[openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Mikhail Fedosin mfedosin at gmail.com
Wed Jun 21 09:12:46 UTC 2017


Thanks for your help folks!

I proposed a patch for mistral and it seems it works now
https://review.openstack.org/#/c/473796
I'm not a great expert on this issue, so it will be great if someone from
keystone team could review the patch.

Best,
Mike

On Wed, Jun 21, 2017 at 4:15 AM, Jamie Lennox <jamielennox at gmail.com> wrote:

>
>
> On 16 June 2017 at 00:44, Mikhail Fedosin <mfedosin at gmail.com> wrote:
>
>> Thanks György!
>>
>> On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <
>> gyorgy.szombathelyi at doclerholding.com> wrote:
>>
>>> Hi Mikhail,
>>>
>>> (I'm not from the Keystone team, but did some patches for using
>>> keystonauth1).
>>>
>>> >
>>> > 2. Even if auth_url is set, it can't be used later, because it is not
>>> registered in
>>> > oslo_config [5]
>>>
>>> auth_url is actually a dynamic parameter and depends on the keystone
>>> auth plugin used
>>> (auth_type=xxx). The plugin which needs this parameter, registers it.
>>>
>>
>> Based on this http://paste.openstack.org/show/612664/ I would say that
>> the plugin doesn't register it :(
>> It either can be a bug, or it was done intentionally, I don't know.
>>
>>
>>>
>>> >
>>> > So I would like to get an advise from keystone team and understand
>>> what I
>>> > should do in such cases. Official documentation doesn't add clarity on
>>> the
>>> > matter because it recommends to use auth_uri in some cases and
>>> auth_url in
>>> > others.
>>> > My suggestion is to add auth_url in the list of keystone authtoken
>>> > middleware config options, so that the parameter can be used by the
>>> others.
>>>
>>> Yepp, this makes some confusion, but adding auth_url will make a clash
>>> with
>>> most (all?) authentication plugins. auth_url can be considered as an
>>> 'internal'
>>> option for the keystoneauth1 modules, and not used by anything else (like
>>> the keystonemiddleware itself). However if there would be a more elagant
>>> solution, I would also hear about it.
>>>
>>> >
>>> > Best,
>>> > Mike
>>> >
>>> Br,
>>> György
>>> ____________________________________________________________
>>> ______________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.op
>>> enstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> My final thought that we have to use both (auth_url and auth_uri) options
>> in mistral config, which looks ugly, but necessary.
>>
>> Best,
>> Mike
>>
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> Hi,
>
> I feel like the question has been answered in the thread, but as i'm
> largely responsible for this I thought i'd pipe up here.
>
> It's annoying and unfortunate that auth_uri and auth_url look so similar.
> They've actually existed for some time side by side and ended up like that
> out of evolution rather that any thought. Interestingly the first result
> for auth_uri in google is [1]. I'd be happy to rename it for something else
> if we can agree on what.
>
> Regarding your paste (and the reason i popped up), i would consider this a
> bug in mistral. The auth options aren't registered into oslo.config until
> just before the plugin is loaded because depending on what you put in for
> auth_type the options may be different. In practice pretty much every
> plugin has an auth_url, but mistral shouldn't be assuming anything about
> the structure of [keystone_authtoken]. That's the sole responsibility of
> keystonemiddleware and it does change over time.
>
> Jamie
>
>
> [1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170621/681dc6fc/attachment.html>


More information about the OpenStack-dev mailing list