[Openstack-operators] External API access
Matt Fischer
matt at mattfischer.com
Wed Oct 21 01:29:53 UTC 2015
It's simple. Just delete the existing one, keystone endpoint-delete <ID>
and then re-create it. However you should follow James's advice and make
sure you understand the security implications first.
On Tue, Oct 20, 2015 at 7:21 PM, Sesso <sesso at djsesso.com> wrote:
> how difficult is it to change the admin endpoint to a public url?
>
> > On Oct 20, 2015, at 5:28 PM, Matt Fischer <matt at mattfischer.com> wrote:
> >
> > One simple workaround for this if you ssh directly to your Keystone node
> and run the admin commands from there. Once you bootstrap your project with
> the proper tenants and users it's not an operation that most people do all
> that often. We expose an admin endpoint on an internal load balancer URL
> but not publicly. You could always consider that, so that VPN access is
> required to make admin calls.
> >
> > On Oct 20, 2015 5:25 PM, "James Denton" <james.denton at rackspace.com>
> wrote:
> > Hi Jason,
> >
> > Certain commands can only be executed via admin url, which in your case
> may not be routable from external networks. You would need to consider
> changing the admin endpoint to an ip/FQDN that can be accessed externally
> (like public url) or limit the ability to execute those particular commands
> to internal clients only that can hit the existing admin url. This is an
> architectural decision you'll have to make that may impact security.
> >
> > James
> >
> > Sent from my iPhone
> >
> > > On Oct 20, 2015, at 6:04 PM, Sesso <sesso at djsesso.com> wrote:
> > >
> > > I have this below.
> > >
> > > publicurl |
> internalurl |
> adminurl
> > > https://public.domain.com:5000/v2.0 |
> http://192.168.0.2:5000/v2.0 | http://192.168.0.2:35357/v2.0
> > >
> > >
> > > The module is trying to access http://192.168.0.2:35357/v2.0 it
> seems but it will say connection time out.
> > >
> > > I can access the public URL
> > >
> > > But on create tenant, it replies with connection time out at the
> admin url.
> > >
> > >
> > > Jason
> > >
> > >> On Oct 20, 2015, at 2:58 PM, Abel Lopez <alopgeek at gmail.com> wrote:
> > >>
> > >> You should have your public endpoints be externally reachable.
> > >>
> > >>> On Oct 20, 2015, at 2:38 PM, Sesso <sesso at djsesso.com> wrote:
> > >>>
> > >>> Hello,
> > >>>
> > >>> I am trying to use a module to automate VM deployments. I can't
> connect to keystone externally so it will make new tenants. What is the
> best route to allow access?
> > >>> I am using kilo.
> > >>>
> > >>> Sent from my iPhone
> > >>> _______________________________________________
> > >>> OpenStack-operators mailing list
> > >>> OpenStack-operators at lists.openstack.org
> > >>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> > >
> > >
> > > _______________________________________________
> > > OpenStack-operators mailing list
> > > OpenStack-operators at lists.openstack.org
> > >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151020/89ca4735/attachment.html>
More information about the OpenStack-operators
mailing list