[Openstack-operators] [Pike][Keystone] Multiple Keystone Endpoints?

Lance Bragstad lbragstad at gmail.com
Thu Oct 26 14:06:42 UTC 2017 


On 10/26/2017 08:10 AM, Andy Wojnarek wrote:
>
> Hi,
>
>  
>
> Is it possible to have both v2.0 and v3 endpoints for Keystone? I’m
> trying to integrate a backup software into Swift, and it requires
> Keystone 2.0. I added the new endpoints fine, but I’m getting
> authentication/authorization errors:
>
>  
>
> *_My Endpoints_*
>
> gvicopnstk01:~ # openstack endpoint list | grep -i identity
>
> | 08b3ba7072ed44df9e7c90e99f8e71d9 | regionOne | keystone     |
> identity        | True    | internal  |
> http://gvicopnstk01:35357/v2.0                  |
>
> | 55d52d6b6cb34d33979cd3c083416d44 | RegionOne | keystone     |
> identity        | True    | internal  |
> http://gvicopnstk01:5000/v3/                    |
>
> | 6b5958647c1744a78657f2c8089ee97d | RegionOne | keystone     |
> identity        | True    | admin     |
> http://gvicopnstk01:35357/v3/                   |
>
> | 70c939d2248f4845b1d0c9e8b7c7cf09 | regionOne | keystone     |
> identity        | True    | admin     |
> http://gvicopnstk01:35357/v2.0                  |
>
> | 7e4d1c794ed1432ca28ea60b947fdc7a | RegionOne | keystone     |
> identity        | True    | public    |
> http://gvicopnstk01:5000/v3/                    |
>
> | f46214dc916947d7a557a2e1b9dc65ca | regionOne | keystone     |
> identity        | True    | public    |
> http://gvicopnstk01:5000/v2.0                   |
>
>  
>
>  
>
> *_Using v2.0 AUTH_URL_*
>
> gvicopnstk01:~ # export OS_AUTH_URL=http://gvicopnstk01:35357/v2.0
>
> gvicopnstk01:~ # swift stat
>
> Authorization Failure. Authorization failed:
> (http://gvicopnstk01:35357/v2.0/auth/tokens): The resource could not
> be found. (HTTP 404) (Request-ID:
> req-ff14bc2d-dbbd-41ed-b81e-73c9397ea1d0)
>
> gvicopnstk01:~ # openstack endpoint list
>
> Cannot use v2 authentication with domain scope
>
>  
>

This is resulting in a 404 Not Found because the authentication endpoint
changed from v2.0 to v3. For v2.0 it is /v2.0/tokens/ and for v3 it's
/v3/auth/tokens. Also, v2.0 doesn't have the concept of domains.
Multiple domains only really exist in the v3 API. As a result, the v2.0
API is unable to understand or issue domain-scoped tokens. It can also
only authenticate users who are in the default domain as defined in
keystone's configuration file [0].

What happens if you set ST_AUTH_VERSION=3 [1]?

[0]
https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id
[1]
https://github.com/openstack/python-swiftclient/blob/0982791db2ccb851f277ffa653065e4021e52b3f/doc/source/cli/index.rst#authentication

> *_keystone-wsgi-public.log when application tries to hit 2.0 endpoint_*
>
> 2017-10-26 08:43:59.255 21561 WARNING oslo_log.versionutils
> [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Deprecated:
> authenticate of the v2 Authentication APIs is deprecated as of Mitaka
> in favor of a similar function in the v3 Authentication APIs and may
> be removed in T.
>
> 2017-10-26 08:43:59.714 21561 WARNING keystone.common.wsgi
> [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Authorization
> failed. The request you have made requires authentication. from
> 192.168.241.121: Unauthorized: The request you have made requires
> authentication.
>
> 2017-10-26 08:44:04.728 21558 INFO keystone.common.wsgi
> [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] POST
> http://192.168.241.114:5000/v2.0/tokens
>
> 2017-10-26 08:44:04.729 21558 WARNING oslo_log.versionutils
> [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Deprecated:
> authenticate of the v2 Authentication APIs is deprecated as of Mitaka
> in favor of a similar function in the v3 Authentication APIs and may
> be removed in T.
>
> 2017-10-26 08:44:05.185 21558 WARNING keystone.common.wsgi
> [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Authorization
> failed. The request you have made requires authentication. from
> 192.168.241.121: Unauthorized: The request you have made requires
> authentication.
>
> 2017-10-26 08:52:34.534 21557 INFO keystone.common.wsgi
> [req-fa71683e-d4a3-4656-8eea-421caa10f841 - - - - -] POST
> http://192.168.241.114:5000/v2.0/tokens
>
>  
>
> When the application tried with v3 it just bombed out, after I added
> the v2.0 endpoints it connects but says invalid username/password and
> it fails.
>
>  
>
> Do I need to now instruct Swift to use the v2.0 endpoint inside
> swift.conf?
>
>  
>
> Thanks,
>
> Andrew Wojnarek |  Sr. Systems Engineer    | ATS Group, LLC
>
> mobile 717.856.6901 | andy.wojnarek at TheATSGroup.com
> <mailto:andy.wojnarek at TheATSGroup.com>
>
> *Galileo Performance Explorer Blog*
> <http://galileosuite.com/blog/>* Offers Deep Insights for
> Server/Storage Systems*
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20171026/9dd991f8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20171026/9dd991f8/attachment.sig>

More information about the OpenStack-operators mailing list