On 2015-08-25 09:37, Jamie Lennox wrote:
----- Original Message -----
From: "Hans Feldt" <hans.fe...@ericsson.com>
To: openstack-dev@lists.openstack.org
Sent: Thursday, August 20, 2015 10:40:28 PM
Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple
keystone endpoints
How do you configure/use keystonemiddleware for a specific identity endpoint
among several?
In an OPNFV multi region prototype I have keystone endpoints per region. I
would like
keystonemiddleware (in context of glance-api) to use the local keystone for
performing user token
validation. Instead keystonemiddleware seems to use the first listed keystone
endpoint in the
service catalog (which could be wrong/non-optimal in most regions).
I found this closed, related bug:
https://bugs.launchpad.net/python-keystoneclient/+bug/1147530
Hey,
There's two points to this.
* If you are using an auth plugin then you're right it will just pick the first
endpoint. You can look at project specific endpoints[1] so that there is only
one keystone endpoint returned for the services project. I've also just added a
review for this feature[2].
I am not.
* If you're not using an auth plugin (so the admin_X options) then keystone
will always use the endpoint that is configured in the options (identity_uri).
Yes for getting its own admin/service token. But for later user token validation it seems to pick
the first identity service in the stored (?) service catalog.
By patching keystonemiddleware, _create_identity_server and the call to Adapter constructor with an
endpoint_override parameter I can get it to use the local keystone for token validation. I am
looking for an official way of achieving the same.
Thanks,
Hans
Hope that helps,
Jamie
[1]
https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst
[2] https://review.openstack.org/#/c/216579
Thanks,
Hans
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
