Re: [openstack-dev] [Keystone][Glance] keystonemiddleware multiple keystone endpoints

[Hans Feldt]

On 2015-08-25 09:37, Jamie Lennox wrote:



- Original Message -

From: Hans Feldt hans.fe...@ericsson.com
To: openstack-dev@lists.openstack.org
Sent: Thursday, August 20, 2015 10:40:28 PM
Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware  multiple   
keystone endpoints

How do you configure/use keystonemiddleware for a specific identity endpoint
among several?

In an OPNFV multi region prototype I have keystone endpoints per region. I
would like
keystonemiddleware (in context of glance-api) to use the local keystone for
performing user token
validation. Instead keystonemiddleware seems to use the first listed keystone
endpoint in the
service catalog (which could be wrong/non-optimal in most regions).

I found this closed, related bug:
https://bugs.launchpad.net/python-keystoneclient/+bug/1147530


Hey,

There's two points to this.

* If you are using an auth plugin then you're right it will just pick the first 
endpoint. You can look at project specific endpoints[1] so that there is only 
one keystone endpoint returned for the services project. I've also just added a 
review for this feature[2].


I am not.


* If you're not using an auth plugin (so the admin_X options) then keystone 
will always use the endpoint that is configured in the options (identity_uri).


Yes for getting its own admin/service token. But for later user token validation it seems to pick 
the first identity service in the stored (?) service catalog.


By patching keystonemiddleware, _create_identity_server and the call to Adapter constructor with an 
endpoint_override parameter I can get it to use the local keystone for token validation. I am 
looking for an official way of achieving the same.


Thanks,
Hans



Hope that helps,

Jamie


[1] 
https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst
[2] https://review.openstack.org/#/c/216579


Thanks,
Hans

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Keystone][Glance] keystonemiddleware multiple keystone endpoints

[Hans Feldt]

How do you configure/use keystonemiddleware for a specific identity endpoint 
among several?

In an OPNFV multi region prototype I have keystone endpoints per region. I would like 
keystonemiddleware (in context of glance-api) to use the local keystone for performing user token 
validation. Instead keystonemiddleware seems to use the first listed keystone endpoint in the 
service catalog (which could be wrong/non-optimal in most regions).


I found this closed, related bug: 
https://bugs.launchpad.net/python-keystoneclient/+bug/1147530

Thanks,
Hans

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev