Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
Thanks for your help folks! I proposed a patch for mistral and it seems it works now https://review.openstack.org/#/c/473796 I'm not a great expert on this issue, so it will be great if someone from keystone team could review the patch. Best, Mike On Wed, Jun 21, 2017 at 4:15 AM, Jamie Lennoxwrote: > > > On 16 June 2017 at 00:44, Mikhail Fedosin wrote: > >> Thanks György! >> >> On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi < >> gyorgy.szombathe...@doclerholding.com> wrote: >> >>> Hi Mikhail, >>> >>> (I'm not from the Keystone team, but did some patches for using >>> keystonauth1). >>> >>> > >>> > 2. Even if auth_url is set, it can't be used later, because it is not >>> registered in >>> > oslo_config [5] >>> >>> auth_url is actually a dynamic parameter and depends on the keystone >>> auth plugin used >>> (auth_type=xxx). The plugin which needs this parameter, registers it. >>> >> >> Based on this http://paste.openstack.org/show/612664/ I would say that >> the plugin doesn't register it :( >> It either can be a bug, or it was done intentionally, I don't know. >> >> >>> >>> > >>> > So I would like to get an advise from keystone team and understand >>> what I >>> > should do in such cases. Official documentation doesn't add clarity on >>> the >>> > matter because it recommends to use auth_uri in some cases and >>> auth_url in >>> > others. >>> > My suggestion is to add auth_url in the list of keystone authtoken >>> > middleware config options, so that the parameter can be used by the >>> others. >>> >>> Yepp, this makes some confusion, but adding auth_url will make a clash >>> with >>> most (all?) authentication plugins. auth_url can be considered as an >>> 'internal' >>> option for the keystoneauth1 modules, and not used by anything else (like >>> the keystonemiddleware itself). However if there would be a more elagant >>> solution, I would also hear about it. >>> >>> > >>> > Best, >>> > Mike >>> > >>> Br, >>> György >>> >>> __ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.op >>> enstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> My final thought that we have to use both (auth_url and auth_uri) options >> in mistral config, which looks ugly, but necessary. >> >> Best, >> Mike >> >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > Hi, > > I feel like the question has been answered in the thread, but as i'm > largely responsible for this I thought i'd pipe up here. > > It's annoying and unfortunate that auth_uri and auth_url look so similar. > They've actually existed for some time side by side and ended up like that > out of evolution rather that any thought. Interestingly the first result > for auth_uri in google is [1]. I'd be happy to rename it for something else > if we can agree on what. > > Regarding your paste (and the reason i popped up), i would consider this a > bug in mistral. The auth options aren't registered into oslo.config until > just before the plugin is loaded because depending on what you put in for > auth_type the options may be different. In practice pretty much every > plugin has an auth_url, but mistral shouldn't be assuming anything about > the structure of [keystone_authtoken]. That's the sole responsibility of > keystonemiddleware and it does change over time. > > Jamie > > > [1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/ > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
On 16 June 2017 at 00:44, Mikhail Fedosinwrote: > Thanks György! > > On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi doclerholding.com> wrote: > >> Hi Mikhail, >> >> (I'm not from the Keystone team, but did some patches for using >> keystonauth1). >> >> > >> > 2. Even if auth_url is set, it can't be used later, because it is not >> registered in >> > oslo_config [5] >> >> auth_url is actually a dynamic parameter and depends on the keystone auth >> plugin used >> (auth_type=xxx). The plugin which needs this parameter, registers it. >> > > Based on this http://paste.openstack.org/show/612664/ I would say that > the plugin doesn't register it :( > It either can be a bug, or it was done intentionally, I don't know. > > >> >> > >> > So I would like to get an advise from keystone team and understand what >> I >> > should do in such cases. Official documentation doesn't add clarity on >> the >> > matter because it recommends to use auth_uri in some cases and auth_url >> in >> > others. >> > My suggestion is to add auth_url in the list of keystone authtoken >> > middleware config options, so that the parameter can be used by the >> others. >> >> Yepp, this makes some confusion, but adding auth_url will make a clash >> with >> most (all?) authentication plugins. auth_url can be considered as an >> 'internal' >> option for the keystoneauth1 modules, and not used by anything else (like >> the keystonemiddleware itself). However if there would be a more elagant >> solution, I would also hear about it. >> >> > >> > Best, >> > Mike >> > >> Br, >> György >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > My final thought that we have to use both (auth_url and auth_uri) options > in mistral config, which looks ugly, but necessary. > > Best, > Mike > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > Hi, I feel like the question has been answered in the thread, but as i'm largely responsible for this I thought i'd pipe up here. It's annoying and unfortunate that auth_uri and auth_url look so similar. They've actually existed for some time side by side and ended up like that out of evolution rather that any thought. Interestingly the first result for auth_uri in google is [1]. I'd be happy to rename it for something else if we can agree on what. Regarding your paste (and the reason i popped up), i would consider this a bug in mistral. The auth options aren't registered into oslo.config until just before the plugin is loaded because depending on what you put in for auth_type the options may be different. In practice pretty much every plugin has an auth_url, but mistral shouldn't be assuming anything about the structure of [keystone_authtoken]. That's the sole responsibility of keystonemiddleware and it does change over time. Jamie [1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/ __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
On Thu, Jun 15, 2017 at 1:12 PM, Harry Rybackiwrote: > On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson wrote: > > > > > > On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin > wrote: > >> > >> Recently I decided to remove deprecated parameters from > keystone_authtoken > >> mistral config and replace them with recommended function of devstack > [1]. > >> In doing so, I discovered a strange behavior of configuration > mechanism, and > >> specifically parameters auth_uri and auth_url. > >> > >> 1. The parameter auth_url is not included in the list of the middleware > >> parameters, there is auth_uri only [2]. Nevertheless, it must be > present, > >> because it's required by identity plugin [3]. Attempts to remove or > replace > >> it with the recommended auth_uri result with these stacktraces [4] > >> > >> 2. Even if auth_url is set, it can't be used later, because it is not > >> registered in oslo_config [5] > >> > >> So I would like to get an advise from keystone team and understand what > I > >> should do in such cases. Official documentation doesn't add clarity on > the > >> matter because it recommends to use auth_uri in some cases and auth_url > in > >> others. > > > > > > While to a human auth_uri and auth_url might look very similar they're > > treated completely differently by auth_token / keystoneauth. One doesn't > > replace the other in any way. So it shouldn't be surprising that > > documentation would say to use auth_uri for one thing and auth_url for > > something else. > > > In this case it's probably worth filing a docs bug against Keystone. > If one person is confused by this, others likely are or will be. > > - Harry > > I created a bug against keystonemiddleware: https://bugs.launchpad.net/keystonemiddleware/+bug/1698401 . HTH. - Brant > > - Brant > > > > > >> > >> My suggestion is to add auth_url in the list of keystone authtoken > >> middleware config options, so that the parameter can be used by the > others. > >> > >> Best, > >> Mike > >> > >> [1] https://review.openstack.org/#/c/473796/ > >> [2] > >> https://github.com/openstack/keystonemiddleware/blob/ > master/keystonemiddleware/auth_token/_opts.py#L31 > >> [3] > >> https://github.com/openstack/keystoneauth/blob/master/ > keystoneauth1/loading/identity.py#L37 > >> [4] http://paste.openstack.org/show/612662/ > >> [5] http://paste.openstack.org/show/612664/ > >> > >> > __ > >> OpenStack Development Mailing List (not for usage questions) > >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: > unsubscribe > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > > > > > > > __ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: > unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- - Brant __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudsonwrote: > > > On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin wrote: >> >> Recently I decided to remove deprecated parameters from keystone_authtoken >> mistral config and replace them with recommended function of devstack [1]. >> In doing so, I discovered a strange behavior of configuration mechanism, and >> specifically parameters auth_uri and auth_url. >> >> 1. The parameter auth_url is not included in the list of the middleware >> parameters, there is auth_uri only [2]. Nevertheless, it must be present, >> because it's required by identity plugin [3]. Attempts to remove or replace >> it with the recommended auth_uri result with these stacktraces [4] >> >> 2. Even if auth_url is set, it can't be used later, because it is not >> registered in oslo_config [5] >> >> So I would like to get an advise from keystone team and understand what I >> should do in such cases. Official documentation doesn't add clarity on the >> matter because it recommends to use auth_uri in some cases and auth_url in >> others. > > > While to a human auth_uri and auth_url might look very similar they're > treated completely differently by auth_token / keystoneauth. One doesn't > replace the other in any way. So it shouldn't be surprising that > documentation would say to use auth_uri for one thing and auth_url for > something else. > In this case it's probably worth filing a docs bug against Keystone. If one person is confused by this, others likely are or will be. - Harry > - Brant > > >> >> My suggestion is to add auth_url in the list of keystone authtoken >> middleware config options, so that the parameter can be used by the others. >> >> Best, >> Mike >> >> [1] https://review.openstack.org/#/c/473796/ >> [2] >> https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31 >> [3] >> https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37 >> [4] http://paste.openstack.org/show/612662/ >> [5] http://paste.openstack.org/show/612664/ >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosinwrote: > Recently I decided to remove deprecated parameters from keystone_authtoken > mistral config and replace them with recommended function of devstack [1]. > In doing so, I discovered a strange behavior of configuration mechanism, > and specifically parameters auth_uri and auth_url. > > 1. The parameter auth_url is not included in the list of the middleware > parameters, there is auth_uri only [2]. Nevertheless, it must be present, > because it's required by identity plugin [3]. Attempts to remove or replace > it with the recommended auth_uri result with these stacktraces [4] > > 2. Even if auth_url is set, it can't be used later, because it is not > registered in oslo_config [5] > > So I would like to get an advise from keystone team and understand what I > should do in such cases. Official documentation doesn't add clarity on the > matter because it recommends to use auth_uri in some cases and auth_url in > others. > While to a human auth_uri and auth_url might look very similar they're treated completely differently by auth_token / keystoneauth. One doesn't replace the other in any way. So it shouldn't be surprising that documentation would say to use auth_uri for one thing and auth_url for something else. - Brant > My suggestion is to add auth_url in the list of keystone authtoken > middleware config options, so that the parameter can be used by the others. > > Best, > Mike > > [1] https://review.openstack.org/#/c/473796/ > [2] https://github.com/openstack/keystonemiddleware/blob/ > master/keystonemiddleware/auth_token/_opts.py#L31 > [3] https://github.com/openstack/keystoneauth/blob/master/ > keystoneauth1/loading/identity.py#L37 > [4] http://paste.openstack.org/show/612662/ > [5] http://paste.openstack.org/show/612664/ > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
> > > > > auth_url is actually a dynamic parameter and depends on the > keystone > > auth plugin used > > (auth_type=xxx). The plugin which needs this parameter, registers it. > > > > > > > > Based on this http://paste.openstack.org/show/612664/ I would say that > > the plugin doesn't register it :( It either can be a bug, or it was > > done intentionally, I don't know. > > > It should register it after you load it, via > keystonauth1.loading.load_auth_plugin_from_conf_options() > There are also register_auth_conf_options() and > get_auth_plugin_conf_options, which I think are mainly used for listing the > most used plugins' options in the debug log. But I don't think it would be > wise > just to choose a plugin and register its options for auth_url, because it is > ugly, > I think, and can lead to other problems. Another note: if you write this code, I think you should not use auth_url directly creating the keystone client (did not look at the code in question, just thinking loud looking at the stacktrace). Use keystoneauth1's loading.load_auth_plugin_from_conf_options() and loading.load_session_from_conf_options(). You don't have to register anything if you're using the [keystone_authtoken] section. Lots of components introduce another config sections for credentials, like [nova], [neutron], in this case one has to use register_auth_conf_options() and register_session_conf_options(). __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
> > auth_url is actually a dynamic parameter and depends on the > keystone auth plugin used > (auth_type=xxx). The plugin which needs this parameter, registers it. > > > > Based on this http://paste.openstack.org/show/612664/ I would say that the > plugin doesn't register it :( It either can be a bug, or it was done > intentionally, > I don't know. > It should register it after you load it, via keystonauth1.loading.load_auth_plugin_from_conf_options() There are also register_auth_conf_options() and get_auth_plugin_conf_options, which I think are mainly used for listing the most used plugins' options in the debug log. But I don't think it would be wise just to choose a plugin and register its options for auth_url, because it is ugly, I think, and can lead to other problems. > > My final thought that we have to use both (auth_url and auth_uri) options in > mistral config, which looks ugly, but necessary. It's not just Mistral, but every component which uses keystonemiddleware. > > Best, > Mike Br, György __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
Thanks György! On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi < gyorgy.szombathe...@doclerholding.com> wrote: > Hi Mikhail, > > (I'm not from the Keystone team, but did some patches for using > keystonauth1). > > > > > 2. Even if auth_url is set, it can't be used later, because it is not > registered in > > oslo_config [5] > > auth_url is actually a dynamic parameter and depends on the keystone auth > plugin used > (auth_type=xxx). The plugin which needs this parameter, registers it. > Based on this http://paste.openstack.org/show/612664/ I would say that the plugin doesn't register it :( It either can be a bug, or it was done intentionally, I don't know. > > > > > So I would like to get an advise from keystone team and understand what I > > should do in such cases. Official documentation doesn't add clarity on > the > > matter because it recommends to use auth_uri in some cases and auth_url > in > > others. > > My suggestion is to add auth_url in the list of keystone authtoken > > middleware config options, so that the parameter can be used by the > others. > > Yepp, this makes some confusion, but adding auth_url will make a clash with > most (all?) authentication plugins. auth_url can be considered as an > 'internal' > option for the keystoneauth1 modules, and not used by anything else (like > the keystonemiddleware itself). However if there would be a more elagant > solution, I would also hear about it. > > > > > Best, > > Mike > > > Br, > György > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev My final thought that we have to use both (auth_url and auth_uri) options in mistral config, which looks ugly, but necessary. Best, Mike __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
Hi Mikhail, (I'm not from the Keystone team, but did some patches for using keystonauth1). > > 2. Even if auth_url is set, it can't be used later, because it is not > registered in > oslo_config [5] auth_url is actually a dynamic parameter and depends on the keystone auth plugin used (auth_type=xxx). The plugin which needs this parameter, registers it. > > So I would like to get an advise from keystone team and understand what I > should do in such cases. Official documentation doesn't add clarity on the > matter because it recommends to use auth_uri in some cases and auth_url in > others. > My suggestion is to add auth_url in the list of keystone authtoken > middleware config options, so that the parameter can be used by the others. Yepp, this makes some confusion, but adding auth_url will make a clash with most (all?) authentication plugins. auth_url can be considered as an 'internal' option for the keystoneauth1 modules, and not used by anything else (like the keystonemiddleware itself). However if there would be a more elagant solution, I would also hear about it. > > Best, > Mike > Br, György __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware
Recently I decided to remove deprecated parameters from keystone_authtoken mistral config and replace them with recommended function of devstack [1]. In doing so, I discovered a strange behavior of configuration mechanism, and specifically parameters auth_uri and auth_url. 1. The parameter auth_url is not included in the list of the middleware parameters, there is auth_uri only [2]. Nevertheless, it must be present, because it's required by identity plugin [3]. Attempts to remove or replace it with the recommended auth_uri result with these stacktraces [4] 2. Even if auth_url is set, it can't be used later, because it is not registered in oslo_config [5] So I would like to get an advise from keystone team and understand what I should do in such cases. Official documentation doesn't add clarity on the matter because it recommends to use auth_uri in some cases and auth_url in others. My suggestion is to add auth_url in the list of keystone authtoken middleware config options, so that the parameter can be used by the others. Best, Mike [1] https://review.openstack.org/#/c/473796/ [2] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31 [3] https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37 [4] http://paste.openstack.org/show/612662/ [5] http://paste.openstack.org/show/612664/ __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev