Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Mikhail Fedosin]

Thanks for your help folks!

I proposed a patch for mistral and it seems it works now
https://review.openstack.org/#/c/473796
I'm not a great expert on this issue, so it will be great if someone from
keystone team could review the patch.

Best,
Mike

On Wed, Jun 21, 2017 at 4:15 AM, Jamie Lennox  wrote:

>
>
> On 16 June 2017 at 00:44, Mikhail Fedosin  wrote:
>
>> Thanks György!
>>
>> On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <
>> gyorgy.szombathe...@doclerholding.com> wrote:
>>
>>> Hi Mikhail,
>>>
>>> (I'm not from the Keystone team, but did some patches for using
>>> keystonauth1).
>>>
>>> >
>>> > 2. Even if auth_url is set, it can't be used later, because it is not
>>> registered in
>>> > oslo_config [5]
>>>
>>> auth_url is actually a dynamic parameter and depends on the keystone
>>> auth plugin used
>>> (auth_type=xxx). The plugin which needs this parameter, registers it.
>>>
>>
>> Based on this http://paste.openstack.org/show/612664/ I would say that
>> the plugin doesn't register it :(
>> It either can be a bug, or it was done intentionally, I don't know.
>>
>>
>>>
>>> >
>>> > So I would like to get an advise from keystone team and understand
>>> what I
>>> > should do in such cases. Official documentation doesn't add clarity on
>>> the
>>> > matter because it recommends to use auth_uri in some cases and
>>> auth_url in
>>> > others.
>>> > My suggestion is to add auth_url in the list of keystone authtoken
>>> > middleware config options, so that the parameter can be used by the
>>> others.
>>>
>>> Yepp, this makes some confusion, but adding auth_url will make a clash
>>> with
>>> most (all?) authentication plugins. auth_url can be considered as an
>>> 'internal'
>>> option for the keystoneauth1 modules, and not used by anything else (like
>>> the keystonemiddleware itself). However if there would be a more elagant
>>> solution, I would also hear about it.
>>>
>>> >
>>> > Best,
>>> > Mike
>>> >
>>> Br,
>>> György
>>> 
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.op
>>> enstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> My final thought that we have to use both (auth_url and auth_uri) options
>> in mistral config, which looks ugly, but necessary.
>>
>> Best,
>> Mike
>>
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> Hi,
>
> I feel like the question has been answered in the thread, but as i'm
> largely responsible for this I thought i'd pipe up here.
>
> It's annoying and unfortunate that auth_uri and auth_url look so similar.
> They've actually existed for some time side by side and ended up like that
> out of evolution rather that any thought. Interestingly the first result
> for auth_uri in google is [1]. I'd be happy to rename it for something else
> if we can agree on what.
>
> Regarding your paste (and the reason i popped up), i would consider this a
> bug in mistral. The auth options aren't registered into oslo.config until
> just before the plugin is loaded because depending on what you put in for
> auth_type the options may be different. In practice pretty much every
> plugin has an auth_url, but mistral shouldn't be assuming anything about
> the structure of [keystone_authtoken]. That's the sole responsibility of
> keystonemiddleware and it does change over time.
>
> Jamie
>
>
> [1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Jamie Lennox]

On 16 June 2017 at 00:44, Mikhail Fedosin  wrote:

> Thanks György!
>
> On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi  doclerholding.com> wrote:
>
>> Hi Mikhail,
>>
>> (I'm not from the Keystone team, but did some patches for using
>> keystonauth1).
>>
>> >
>> > 2. Even if auth_url is set, it can't be used later, because it is not
>> registered in
>> > oslo_config [5]
>>
>> auth_url is actually a dynamic parameter and depends on the keystone auth
>> plugin used
>> (auth_type=xxx). The plugin which needs this parameter, registers it.
>>
>
> Based on this http://paste.openstack.org/show/612664/ I would say that
> the plugin doesn't register it :(
> It either can be a bug, or it was done intentionally, I don't know.
>
>
>>
>> >
>> > So I would like to get an advise from keystone team and understand what
>> I
>> > should do in such cases. Official documentation doesn't add clarity on
>> the
>> > matter because it recommends to use auth_uri in some cases and auth_url
>> in
>> > others.
>> > My suggestion is to add auth_url in the list of keystone authtoken
>> > middleware config options, so that the parameter can be used by the
>> others.
>>
>> Yepp, this makes some confusion, but adding auth_url will make a clash
>> with
>> most (all?) authentication plugins. auth_url can be considered as an
>> 'internal'
>> option for the keystoneauth1 modules, and not used by anything else (like
>> the keystonemiddleware itself). However if there would be a more elagant
>> solution, I would also hear about it.
>>
>> >
>> > Best,
>> > Mike
>> >
>> Br,
>> György
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> My final thought that we have to use both (auth_url and auth_uri) options
> in mistral config, which looks ugly, but necessary.
>
> Best,
> Mike
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
Hi,

I feel like the question has been answered in the thread, but as i'm
largely responsible for this I thought i'd pipe up here.

It's annoying and unfortunate that auth_uri and auth_url look so similar.
They've actually existed for some time side by side and ended up like that
out of evolution rather that any thought. Interestingly the first result
for auth_uri in google is [1]. I'd be happy to rename it for something else
if we can agree on what.

Regarding your paste (and the reason i popped up), i would consider this a
bug in mistral. The auth options aren't registered into oslo.config until
just before the plugin is loaded because depending on what you put in for
auth_type the options may be different. In practice pretty much every
plugin has an auth_url, but mistral shouldn't be assuming anything about
the structure of [keystone_authtoken]. That's the sole responsibility of
keystonemiddleware and it does change over time.

Jamie


[1] https://adam.younglogic.com/2016/06/auth_uri-vs-auth_url/
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Brant Knudson]

On Thu, Jun 15, 2017 at 1:12 PM, Harry Rybacki  wrote:

> On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson  wrote:
> >
> >
> > On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin 
> wrote:
> >>
> >> Recently I decided to remove deprecated parameters from
> keystone_authtoken
> >> mistral config and replace them with recommended function of devstack
> [1].
> >> In doing so, I discovered a strange behavior of configuration
> mechanism, and
> >> specifically parameters auth_uri and auth_url.
> >>
> >> 1. The parameter auth_url is not included in the list of the middleware
> >> parameters, there is auth_uri only [2]. Nevertheless, it must be
> present,
> >> because it's required by identity plugin [3]. Attempts to remove or
> replace
> >> it with the recommended auth_uri result with these stacktraces [4]
> >>
> >> 2. Even if auth_url is set, it can't be used later, because it is not
> >> registered in oslo_config [5]
> >>
> >> So I would like to get an advise from keystone team and understand what
> I
> >> should do in such cases. Official documentation doesn't add clarity on
> the
> >> matter because it recommends to use auth_uri in some cases and auth_url
> in
> >> others.
> >
> >
> > While to a human auth_uri and auth_url might look very similar they're
> > treated completely differently by auth_token / keystoneauth. One doesn't
> > replace the other in any way. So it shouldn't be surprising that
> > documentation would say to use auth_uri for one thing and auth_url for
> > something else.
> >
> In this case it's probably worth filing a docs bug against Keystone.
> If one person is confused by this, others likely are or will be.
>
> - Harry
>
>
I created a bug against keystonemiddleware:
https://bugs.launchpad.net/keystonemiddleware/+bug/1698401 . HTH.

- Brant


> >  - Brant
> >
> >
> >>
> >> My suggestion is to add auth_url in the list of keystone authtoken
> >> middleware config options, so that the parameter can be used by the
> others.
> >>
> >> Best,
> >> Mike
> >>
> >> [1] https://review.openstack.org/#/c/473796/
> >> [2]
> >> https://github.com/openstack/keystonemiddleware/blob/
> master/keystonemiddleware/auth_token/_opts.py#L31
> >> [3]
> >> https://github.com/openstack/keystoneauth/blob/master/
> keystoneauth1/loading/identity.py#L37
> >> [4] http://paste.openstack.org/show/612662/
> >> [5] http://paste.openstack.org/show/612664/
> >>
> >> 
> __
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
> unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> > 
> __
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
- Brant
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Harry Rybacki]

On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson  wrote:
>
>
> On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin  wrote:
>>
>> Recently I decided to remove deprecated parameters from keystone_authtoken
>> mistral config and replace them with recommended function of devstack [1].
>> In doing so, I discovered a strange behavior of configuration mechanism, and
>> specifically parameters auth_uri and auth_url.
>>
>> 1. The parameter auth_url is not included in the list of the middleware
>> parameters, there is auth_uri only [2]. Nevertheless, it must be present,
>> because it's required by identity plugin [3]. Attempts to remove or replace
>> it with the recommended auth_uri result with these stacktraces [4]
>>
>> 2. Even if auth_url is set, it can't be used later, because it is not
>> registered in oslo_config [5]
>>
>> So I would like to get an advise from keystone team and understand what I
>> should do in such cases. Official documentation doesn't add clarity on the
>> matter because it recommends to use auth_uri in some cases and auth_url in
>> others.
>
>
> While to a human auth_uri and auth_url might look very similar they're
> treated completely differently by auth_token / keystoneauth. One doesn't
> replace the other in any way. So it shouldn't be surprising that
> documentation would say to use auth_uri for one thing and auth_url for
> something else.
>
In this case it's probably worth filing a docs bug against Keystone.
If one person is confused by this, others likely are or will be.

- Harry

>  - Brant
>
>
>>
>> My suggestion is to add auth_url in the list of keystone authtoken
>> middleware config options, so that the parameter can be used by the others.
>>
>> Best,
>> Mike
>>
>> [1] https://review.openstack.org/#/c/473796/
>> [2]
>> https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31
>> [3]
>> https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37
>> [4] http://paste.openstack.org/show/612662/
>> [5] http://paste.openstack.org/show/612664/
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Brant Knudson]

On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin  wrote:

> Recently I decided to remove deprecated parameters from keystone_authtoken
> mistral config and replace them with recommended function of devstack [1].
> In doing so, I discovered a strange behavior of configuration mechanism,
> and specifically parameters auth_uri and auth_url.
>
> 1. The parameter auth_url is not included in the list of the middleware
> parameters, there is auth_uri only [2]. Nevertheless, it must be present,
> because it's required by identity plugin [3]. Attempts to remove or replace
> it with the recommended auth_uri result with these stacktraces [4]
>
> 2. Even if auth_url is set, it can't be used later, because it is not
> registered in oslo_config [5]
>
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
>

While to a human auth_uri and auth_url might look very similar they're
treated completely differently by auth_token / keystoneauth. One doesn't
replace the other in any way. So it shouldn't be surprising that
documentation would say to use auth_uri for one thing and auth_url for
something else.

 - Brant



> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.
>
> Best,
> Mike
>
> [1] https://review.openstack.org/#/c/473796/
> [2] https://github.com/openstack/keystonemiddleware/blob/
> master/keystonemiddleware/auth_token/_opts.py#L31
> [3] https://github.com/openstack/keystoneauth/blob/master/
> keystoneauth1/loading/identity.py#L37
> [4] http://paste.openstack.org/show/612662/
> [5] http://paste.openstack.org/show/612664/
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Gyorgy Szombathelyi]

> 
> >
> > auth_url is actually a dynamic parameter and depends on the
> keystone
> > auth plugin used
> > (auth_type=xxx). The plugin which needs this parameter, registers it.
> >
> >
> >
> > Based on this http://paste.openstack.org/show/612664/ I would say that
> > the plugin doesn't register it :( It either can be a bug, or it was
> > done intentionally, I don't know.
> >
> It should register it after you load it, via
> keystonauth1.loading.load_auth_plugin_from_conf_options()
> There are also register_auth_conf_options() and
> get_auth_plugin_conf_options,  which I think are mainly used for listing the
> most used plugins' options in the debug log. But I don't think it would be 
> wise
> just to choose a plugin and register its options for auth_url, because it is 
> ugly,
> I think, and can lead to other problems.

Another note: if you write this code, I think you should not use auth_url 
directly
creating the keystone client (did not look at the code in question, just 
thinking loud looking at the stacktrace).
Use keystoneauth1's loading.load_auth_plugin_from_conf_options()
and loading.load_session_from_conf_options(). You don't have to register 
anything if you're 
using the [keystone_authtoken] section. Lots of components introduce another 
config sections
for credentials, like [nova], [neutron], in this case one has to use 
register_auth_conf_options()
and register_session_conf_options().


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Gyorgy Szombathelyi]

> 
>   auth_url is actually a dynamic parameter and depends on the
> keystone auth plugin used
>   (auth_type=xxx). The plugin which needs this parameter, registers it.
> 
> 
> 
> Based on this http://paste.openstack.org/show/612664/ I would say that the
> plugin doesn't register it :( It either can be a bug, or it was done 
> intentionally,
> I don't know.
> 
It should register it after you load it, via 
keystonauth1.loading.load_auth_plugin_from_conf_options()
There are also register_auth_conf_options() and get_auth_plugin_conf_options,  
which I think are mainly used 
for listing the most used plugins' options in the debug log. But I don't think 
it would be wise
just to choose a plugin and register its options for auth_url, because it is 
ugly, I think, and can lead to
other problems.
 
> 
> My final thought that we have to use both (auth_url and auth_uri) options in
> mistral config, which looks ugly, but necessary.

It's not just Mistral, but every component which uses keystonemiddleware.

> 
> Best,
> Mike
Br,
György
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Mikhail Fedosin]

Thanks György!

On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <
gyorgy.szombathe...@doclerholding.com> wrote:

> Hi Mikhail,
>
> (I'm not from the Keystone team, but did some patches for using
> keystonauth1).
>
> >
> > 2. Even if auth_url is set, it can't be used later, because it is not
> registered in
> > oslo_config [5]
>
> auth_url is actually a dynamic parameter and depends on the keystone auth
> plugin used
> (auth_type=xxx). The plugin which needs this parameter, registers it.
>

Based on this http://paste.openstack.org/show/612664/ I would say that the
plugin doesn't register it :(
It either can be a bug, or it was done intentionally, I don't know.


>
> >
> > So I would like to get an advise from keystone team and understand what I
> > should do in such cases. Official documentation doesn't add clarity on
> the
> > matter because it recommends to use auth_uri in some cases and auth_url
> in
> > others.
> > My suggestion is to add auth_url in the list of keystone authtoken
> > middleware config options, so that the parameter can be used by the
> others.
>
> Yepp, this makes some confusion, but adding auth_url will make a clash with
> most (all?) authentication plugins. auth_url can be considered as an
> 'internal'
> option for the keystoneauth1 modules, and not used by anything else (like
> the keystonemiddleware itself). However if there would be a more elagant
> solution, I would also hear about it.
>
> >
> > Best,
> > Mike
> >
> Br,
> György
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


My final thought that we have to use both (auth_url and auth_uri) options
in mistral config, which looks ugly, but necessary.

Best,
Mike
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Gyorgy Szombathelyi]

Hi Mikhail,

(I'm not from the Keystone team, but did some patches for using keystonauth1).

> 
> 2. Even if auth_url is set, it can't be used later, because it is not 
> registered in
> oslo_config [5]

auth_url is actually a dynamic parameter and depends on the keystone auth 
plugin used
(auth_type=xxx). The plugin which needs this parameter, registers it.

> 
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.

Yepp, this makes some confusion, but adding auth_url will make a clash with
most (all?) authentication plugins. auth_url can be considered as an 'internal'
option for the keystoneauth1 modules, and not used by anything else (like
the keystonemiddleware itself). However if there would be a more elagant
solution, I would also hear about it.

> 
> Best,
> Mike
> 
Br,
György
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

[Mikhail Fedosin]

Recently I decided to remove deprecated parameters from keystone_authtoken
mistral config and replace them with recommended function of devstack [1].
In doing so, I discovered a strange behavior of configuration mechanism,
and specifically parameters auth_uri and auth_url.

1. The parameter auth_url is not included in the list of the middleware
parameters, there is auth_uri only [2]. Nevertheless, it must be present,
because it's required by identity plugin [3]. Attempts to remove or replace
it with the recommended auth_uri result with these stacktraces [4]

2. Even if auth_url is set, it can't be used later, because it is not
registered in oslo_config [5]

So I would like to get an advise from keystone team and understand what I
should do in such cases. Official documentation doesn't add clarity on the
matter because it recommends to use auth_uri in some cases and auth_url in
others.
My suggestion is to add auth_url in the list of keystone authtoken
middleware config options, so that the parameter can be used by the others.

Best,
Mike

[1] https://review.openstack.org/#/c/473796/
[2]
https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31
[3]
https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37
[4] http://paste.openstack.org/show/612662/
[5] http://paste.openstack.org/show/612664/
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev