Open Stack

Jamie Lennox from Redhat answered my post off-list, so I'm forwarding it to
the list for everyone.

----- Original Message -----

Summer and Matt,

So i understand there is an attempt to get these documented correctly by
each
of the services, but i'm not sure what the status of getting it automated
is. There is a review here: https://review.openstack.org/#/c/73875/ to
at least document them from the keystoneclient service.

The full list is quite easy to see from the code:
https://github.com/jamielennox/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L199
and there is some documentation there for each.

The problem of auth_uri is one I have hit myself and i would like to rename
but you can't just change these for people that use it already.

The correct way to point people to the keystone server is a combination of
auth_protocol auth_host, auth_port and auth_prefix (note that auth_prefix is
not '/v2.0' - that will get added later, auth_prefix is generally empty).
These are combined as:

(auth_protocol)://(auth_host):(auth_port)/(auth_prefix)

There is a historical technical reason for this why these are split which is
no longer relevant - and IMO should never have been exposed to people
configuring the middleware anyway.

auth_uri is _only_ used in the middleware when returning a 401 Unauthorized
message. It will contain the header: "WWW-Authenticate: Keystone
uri=(auth_uri)". If it is not set by the configuration it will default to:
(auth_protocol)://(auth_host):(auth_port) - so all but the (auth_prefix).
The point here is to indicate where you should get your token from and why
the error message is shown if something is not set. Why it doesn't have the
prefix has always bugged me and i think i'll bring that question up again.

Just to clarify: The reason you might want that is because traditionally
you would have set auth_token to use the 35357 port service for token
validation, auth_port=35357, however users of the service typically can't
talk to the admin port and when you want to get a token you typically want
to use the public port, 5000, so you would want to set auth_uri to
http://hostname:5000/ to tell people where they could fetch a token from.

Hopefully this will become less relevant as time goes on as the v3 api is
the same on both ports.

I don't think there ever was an auth_url, you should avoid that.

In general i would like to scrap the auth_protocol, host, port, prefix
combination for just a url. If you have any idea of what that should be
called that somehow distinguishes itself from auth_uri and all the other
very similar sounding variables there i'd love to know.

Jamie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-docs/attachments/20140302/40eb23e5/attachment.html>