Public bug reported:
The identity service is expected to be on ports 5000 and 35357 for historical
reasons. It's been a dream for some time to have the identity service, along
with the rest of the OpenStack services, available on a path on the normal HTTP
port so that we're not polluting the port space so much, and also port 35357
has problems on Linux since it's in the default ephemeral port range.
With keystone switching to being served by Apache Httpd or some other
full-featured web server (as opposed to eventlet) this is actually
pretty easy to accomplish. Httpd (and other web servers) allows you to
route multiple paths / ports to the wsgi process, so you can have :5000
and :443/identity going to the same place (same with :35357 and
:443/identity_admin), all in the same server.
Keystone ships a sample config file in httpd/wsgi-keystone.conf so we'll
update that to support both the virtual hosts on different ports and
path handling.
If we agree on this we can get some tests going to ensure the rest of
the OpenStack ecosystem is ready by changing devstack to use the new
config.
Eventually we can "deprecate" running identity service on 5000 and 35357
and instead use :443/identity and /identity_admin.
** Affects: keystone
Importance: Wishlist
Assignee: Brant Knudson (blk-u)
Status: In Progress
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1496041
Title:
Document accept requests on base paths rather than separate ports
Status in Keystone:
In Progress
Bug description:
The identity service is expected to be on ports 5000 and 35357 for historical
reasons. It's been a dream for some time to have the identity service, along
with the rest of the OpenStack services, available on a path on the normal HTTP
port so that we're not polluting the port space so much, and also port 35357
has problems on Linux since it's in the default ephemeral port range.
With keystone switching to being served by Apache Httpd or some other
full-featured web server (as opposed to eventlet) this is actually
pretty easy to accomplish. Httpd (and other web servers) allows you to
route multiple paths / ports to the wsgi process, so you can have
:5000 and :443/identity going to the same place (same with :35357 and
:443/identity_admin), all in the same server.
Keystone ships a sample config file in httpd/wsgi-keystone.conf so
we'll update that to support both the virtual hosts on different ports
and path handling.
If we agree on this we can get some tests going to ensure the rest of
the OpenStack ecosystem is ready by changing devstack to use the new
config.
Eventually we can "deprecate" running identity service on 5000 and
35357 and instead use :443/identity and /identity_admin.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1496041/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
