Hello, Jamie and Hans, The patch " Allow specifying a region name to auth_token " https://review.openstack.org/#/c/216579 has just been merged.
But unfortunately, when I modify the source code as this patch did in the multisite cloud with Fernet token, the issue is still there, and routed to incorrect endpoint. I also check the region_name configuration in the source code, it's correct. The issue mentioned in the bug report not addressed yet: https://bugs.launchpad.net/keystonemiddleware/+bug/1488347 Is there anyone who tested it successfully in your environment? The log of Glance API, the request was redirected to http://172.17.0.95:35357, but this address is not a KeyStone endpoint. (http://172.17.0.98:35357 and http://172.17.0.41:35357 are correct KeyStone endpoints ) ////////////////////////////////////////// 2015-09-06 07:50:43.447 194 DEBUG keystoneclient.session [-] REQ: curl -g -i -X GET http://172.17.0.98:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" _http_log_request /usr/lib/python2.7/dist-packages/keystoneclient/session.py:195 2015-09-06 07:50:43.468 194 DEBUG keystoneclient.session [-] RESP: [300] content-length: 593 vary: X-Auth-Token connection: keep-alive date: Sun, 06 Sep 2015 07:50:43 GMT content-type: application/json x-distribution: Ubuntu RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://172.17.0.98:35357/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.17.0.98:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}} _http_log_response /usr/lib/python2.7/dist-packages/keystoneclient/session.py:223 2015-09-06 07:50:43.469 194 DEBUG keystoneclient.auth.identity.v3 [-] Making authentication request to http://172.17.0.98:35357/v3/auth/tokens get_auth_ref /usr/lib/python2.7/dist-packages/keystoneclient/auth/identity/v3.py:125 2015-09-06 07:50:43.574 194 DEBUG keystoneclient.session [-] REQ: curl -g -i -X GET http://172.17.0.95:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient" _http_log_request /usr/lib/python2.7/dist-packages/keystoneclient/session.py:195 2015-09-06 07:50:46.576 194 WARNING keystoneclient.auth.identity.base [-] Failed to contact the endpoint at http://172.17.0.95:35357 for discovery. Fallback to using that endpoint as the base url. 2015-09-06 07:50:46.576 194 DEBUG keystoneclient.session [-] REQ: curl -g -i -X GET http://172.17.0.95:35357/auth/tokens -H "X-Subject-Token: {SHA1}640964e1f8716ecbb10ca3d8b5b08c8e7abfac1d" -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}386777062718e0992cc818780e3ec7fa0671d8e9" _http_log_request /usr/lib/python2.7/dist-packages/keystoneclient/session.py:195 2015-09-06 07:50:49.576 194 INFO keystoneclient.session [-] Failure: Unable to establish connection to http://172.17.0.95:35357/auth/tokens. Retrying in 0.5s. 2015-09-06 07:50:52.576 194 INFO keystoneclient.session [-] Failure: Unable to establish connection to http://172.17.0.95:35357/auth/tokens. Retrying in 1.0s. 2015-09-06 07:50:55.576 194 INFO keystoneclient.session [-] Failure: Unable to establish connection to http://172.17.0.95:35357/auth/tokens. Retrying in 2.0s. 2015-09-06 07:50:58.576 194 WARNING keystonemiddleware.auth_token [-] Authorization failed for token Best Regards Chaoyi Huang ( Joe Huang ) -----Original Message----- From: Hans Feldt [mailto:hans.fe...@ericsson.com] Sent: Tuesday, August 25, 2015 5:06 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple keystone endpoints On 2015-08-25 09:37, Jamie Lennox wrote: > > > ----- Original Message ----- >> From: "Hans Feldt" <hans.fe...@ericsson.com> >> To: openstack-dev@lists.openstack.org >> Sent: Thursday, August 20, 2015 10:40:28 PM >> Subject: [openstack-dev] [Keystone][Glance] keystonemiddleware & multiple >> keystone endpoints >> >> How do you configure/use keystonemiddleware for a specific identity >> endpoint among several? >> >> In an OPNFV multi region prototype I have keystone endpoints per >> region. I would like keystonemiddleware (in context of glance-api) to >> use the local keystone for performing user token validation. Instead >> keystonemiddleware seems to use the first listed keystone endpoint in >> the service catalog (which could be wrong/non-optimal in most >> regions). >> >> I found this closed, related bug: >> https://bugs.launchpad.net/python-keystoneclient/+bug/1147530 > > Hey, > > There's two points to this. > > * If you are using an auth plugin then you're right it will just pick the > first endpoint. You can look at project specific endpoints[1] so that there > is only one keystone endpoint returned for the services project. I've also > just added a review for this feature[2]. I am not. > * If you're not using an auth plugin (so the admin_X options) then keystone > will always use the endpoint that is configured in the options (identity_uri). Yes for getting its own admin/service token. But for later user token validation it seems to pick the first identity service in the stored (?) service catalog. By patching keystonemiddleware, _create_identity_server and the call to Adapter constructor with an endpoint_override parameter I can get it to use the local keystone for token validation. I am looking for an official way of achieving the same. Thanks, Hans > > Hope that helps, > > Jamie > > > [1] > https://github.com/openstack/keystone-specs/blob/master/specs/juno/end > point-group-filter.rst [2] https://review.openstack.org/#/c/216579 > >> Thanks, >> Hans >> >> _____________________________________________________________________ >> _____ OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > ______________________________________________________________________ > ____ OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev