There are a few factors at play here: 1) Your auth_url is unversioned (meaning it doesn't have the dangly bit of /v2.0 or /v3) 2) os-api-version isn't a thing, so it's not even being used (you probably want os-identity-api-version), as a result, osc will use v2.0 keystone APIs
osc noticed you had used a user domain name and project domain name, so it was smart enough to perform a v3 auth request (this is shown with the POST to /v3/auth/tokens) once you have the token, osc will call the v2.0 APIs for the command (project list), which is only supported on the 'admin' port, by default it's 35357. more info on that here: http://developer.openstack.org/api-ref-identity-admin-v2.html Basically, I think you really want to set os-identity-api-version instead of os-api-version. Thanks, Steve Martinelli OpenStack Keystone Core From: Timothy Symanczyk <[email protected]> To: openstack <[email protected]> Date: 2015/09/16 05:41 PM Subject: [Openstack] [OpenStack][Keystone][OpenStackClient] Switching to admin endpoint mid request, how / why? Hi All, While intending to direct requests from the openstack client to the public endpoint of my keystone instance, it seems as though after initial authentication the client gives subsequent requests to the admin endpoint. Is there a setting somewhere that I’ve missed either client or server side where the entire request could be done through the public endpoint? My install/config is the all-in-one devstack using master. Absolutely no local changes. Marked-up copy paste : timothy_symanczyk@community:~$ source ./becomeDemo.sh OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=demo OS_PASSWORD=stack OS_API_VERSION=3 OS_AUTH_URL=http://192.168.207.21:5000/ OS_USERNAME=demo OS_PROJECT_DOMAIN_NAME=Default Auth URL explicitly specified as the public :5000 endpoint. timothy_symanczyk@community:~$ openstack --debug project show demo DEBUG: openstackclient.shell options: Namespace(auth_type='', auth_url='http://192.168.207.21:5000/', cacert='', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, log_file=None, os_compute_api_version='2', os_identity_api_version='2', os_image_api_version='1', os_network_api_version='2', os_object_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='1', password='stack', project_domain_id='', project_domain_name='Default', project_id='', project_name='demo', region_name='', service_provider_endpoint='', timing=False, token='', trust_id='', url='', user_domain_id='', user_domain_name='Default', user_id='', username='demo', verbose_level=3, verify=None) DEBUG: openstackclient.shell defaults: {'auth_type': 'osc_password', 'compute_api_version': '2', 'database_api_version': '1.0', 'api_timeout': None, 'baremetal_api_version': '1', 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'network_api_version': '2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'disable_vendor_agent': {}} DEBUG: openstackclient.shell cloud cfg: {'auth_type': 'osc_password', 'compute_api_version': '2', 'database_api_version': '1.0', 'timing': False, 'network_api_version': '2', 'object_api_version': '1', 'image_api_version': '1', 'verify': True, 'verbose_level': 3, 'region_name': '', 'api_timeout': None, 'baremetal_api_version': '1', 'auth': {'username': 'demo', 'project_name': 'demo', 'tenant_name': 'demo', 'user_domain_name': 'Default', 'auth_url': 'http://192.168.207.21:5000/', 'password': 'stack', 'project_domain_name': 'Default'}, 'default_domain': 'default', 'image_api_use_tasks': False, 'endpoint_type': 'public', 'floating_ip_source': 'neutron', 'key': None, 'cacert': None, 'deferred_help': False, 'identity_api_version': '2', 'volume_api_version': '1', 'cert': None, 'secgroup_source': 'neutron', 'debug': True, 'disable_vendor_agent': {}} DEBUG: openstackclient.shell compute API version 2, cmd group openstack.compute.v2 DEBUG: openstackclient.shell network API version 2, cmd group openstack.network.v2 DEBUG: openstackclient.shell image API version 1, cmd group openstack.image.v1 DEBUG: openstackclient.shell volume API version 1, cmd group openstack.volume.v1 DEBUG: openstackclient.shell identity API version 2, cmd group openstack.identity.v2 DEBUG: openstackclient.shell object_store API version 1, cmd group openstack.object_store.v1 INFO: openstackclient.shell command: project show -> openstackclient.identity.v2_0.project.ShowProject DEBUG: openstackclient.api.auth Auth plugin osc_password selected DEBUG: openstackclient.api.auth auth_type: osc_password INFO: openstackclient.common.clientmanager Using auth plugin: osc_password DEBUG: openstackclient.common.clientmanager Using parameters {'username': 'demo', 'project_name': 'demo', 'auth_url': 'http://192.168.207.21:5000/', 'tenant_name': 'demo', 'user_domain_name': 'Default', 'password': 'stack', 'project_domain_name': 'Default'} DEBUG: openstackclient.common.clientmanager Get auth_ref DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:5000/ -H "Accept: application/json" -H "User-Agent: python-openstackclient" INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21 DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 597 DEBUG: keystoneclient.session RESP: [300] content-length: 597 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:5000/v3/";, "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:5000/v2.0/";, "rel": "self"}, {"href": "http://docs.openstack.org/";, "type": "text/html", "rel": "describedby"}]}]}} DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915 DEBUG: openstackclient.identity.v2_0.project.ShowProject take_action (Namespace(columns=[], formatter='table', max_width=0, prefix='', project='demo', variables=[])) DEBUG: openstackclient.identity.client Instantiating identity client: <class 'openstackclient.identity.client.IdentityClientv2'> DEBUG: keystoneclient.auth.identity.v3.base Making authentication request to http://192.168.207.21:5000/v3/auth/tokens DEBUG: requests.packages.urllib3.connectionpool "POST /v3/auth/tokens HTTP/1.1" 201 4915 Everything above here appears to use the public :5000 endpoint, and then everything after here appears to use the admin :35357 endpoint. DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/ -H "Accept: application/json" -H "User-Agent: python-openstackclient" INFO: requests.packages.urllib3.connectionpool Starting new HTTP connection (1): 192.168.207.21 DEBUG: requests.packages.urllib3.connectionpool "GET / HTTP/1.1" 300 599 DEBUG: keystoneclient.session RESP: [300] content-length: 599 vary: X-Auth-Token keep-alive: timeout=5, max=100 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://192.168.207.21:35357/v3/";, "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://192.168.207.21:35357/v2.0/";, "rel": "self"}, {"href": "http://docs.openstack.org/";, "type": "text/html", "rel": "describedby"}]}]}} DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants/demo -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a" DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants/demo HTTP/1.1" 403 179 DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=99 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-900925a9-bbe6-4deb-a50c-6d496681503b RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} DEBUG: keystoneclient.session Request returned failure status: 403 DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://192.168.207.21:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}e68eb68e96e582cf8f9a7dbcb0438b1674cfc30a" DEBUG: requests.packages.urllib3.connectionpool "GET /v2.0/tenants HTTP/1.1" 403 179 DEBUG: keystoneclient.session RESP: [403] content-length: 179 vary: X-Auth-Token keep-alive: timeout=5, max=98 server: Apache/2.4.7 (Ubuntu) connection: Keep-Alive date: Tue, 08 Sep 2015 08:10:05 GMT content-type: application/json x-openstack-request-id: req-336ef5dc-1f46-4cde-946a-ba91415b5d57 RESP BODY: {"error": {"message": "You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.)", "code": 403, "title": "Forbidden"}} DEBUG: keystoneclient.session Request returned failure status: 403 +---------+----------------------------------+ | Field | Value | +---------+----------------------------------+ | enabled | True | | id | 20f42190a63c443e9209d2bc576b14e4 | | name | demo | +---------+----------------------------------+ DEBUG: openstackclient.shell clean_up ShowProject: timothy_symanczyk@community:~$ Any help or insight greatly appreciated. Tim_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
