Hello, Jamie, I hope I am wrong :)
One comment for your patch. using region name to filter the endpoint for the token validation may not work if "no-catalog" is configured in keystone server. "include_service_catalog = True (BoolOpt) (Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header." Best Regards Chaoyi Huang ( Joe Huang ) -----Original Message----- From: Jamie Lennox [mailto:jamielen...@redhat.com] Sent: Tuesday, August 25, 2015 3:38 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints ----- Original Message ----- > From: "Hans Feldt" <hans.fe...@ericsson.com> > To: openstack-dev@lists.openstack.org > Sent: Thursday, August 20, 2015 10:40:28 PM > Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple > keystone endpoints > > How do you configure/use keystonemiddleware for a specific identity > endpoint among several? > > In an OPNFV multi region prototype I have keystone endpoints per > region. I would like keystonemiddleware (in context of glance-api) to > use the local keystone for performing user token validation. Instead > keystonemiddleware seems to use the first listed keystone endpoint in > the service catalog (which could be wrong/non-optimal in most > regions). > > I found this closed, related bug: > https://bugs.launchpad.net/python-keystoneclient/+bug/1147530 Hey, There's two points to this. * If you are using an auth plugin then you're right it will just pick the first endpoint. You can look at project specific endpoints[1] so that there is only one keystone endpoint returned for the services project. I've also just added a review for this feature[2]. * If you're not using an auth plugin (so the admin_X options) then keystone will always use the endpoint that is configured in the options (identity_uri). Hope that helps, Jamie [1] https://github.com/openstack/keystone-specs/blob/master/specs/juno/endpoint-group-filter.rst [2] https://review.openstack.org/#/c/216579 > Thanks, > Hans > > ______________________________________________________________________ > ____ OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
