On 05/11/2018 03:37 PM, Vlad Gusev wrote:
Hello.
We faced a bug in keystoneauth, which haven't existed before Queens.
Sorry about that.
In our OpenStack deployments we use urls like http://controller:5000/v3
for internal and admin endpoints and urls like
https://api.example.org/identity/v3 for public endpoints.
Thank you for using suburl deployment for your public interface and not
the silly ports!!!
We set option
public_endpoint in [default] section of the
keystone.conf/nova.conf/cinder.conf/glance.conf/neutron.conf. For
example, for keystone it is
'public_endpoint=https://api.example.org/identity/'.
Since keystoneauth 3.2.0 or commit
https://github.com/openstack/keystoneauth/commit/8b8ff830e89923ca6862362a5d16e496a0c0093c
all internal client requests to the internal endpoints (for example,
openstack server list from controller node) fail with 404 error, because
it tries to do auto discovery at the http://controller:5000/v3. It gets
{"href": "https://api.example.org/identity/v3/;, "rel": "self"} because
of the public_endpoint option, and then in function
_combine_relative_url() (keystoneauth1/discover.py:405) keystoneauth
combines http://controller:5000/ with the path from public href. So
after auto discovery attempt it goes to the wrong path
http://controller:5000/identity/v3/
Ok. I'm going to argue that there are bugs on both the server side AND
in keystoneauth. I believe I know how to fix the keystoneauth one- but
let me describe why I think the server is broken as well, and then we
can figure out how to fix that. I'm going to describe it in slightly
excruciating detail, just to make sure we're all on the same page about
mechanics that may be going on behind the scenes.
The user has said:
I want the internal interface of v3 of the identity service
First, the identity service has to be found in the catalog. Looking in
the catalog, we find this:
{
"endpoints": [
{
"id": "4deb4d0504a044a395d4480741ba628c",
"interface": "public",
"region": "RegionOne",
"url": "https://api.example.com/identity;
},
{
"id": "012322eeedcd459edabb4933021112bc",
"interface": "internal",
"region": "RegionOne",
"url": "http://controller:5000/v3;
}
],
"name": "keystone",
"type": "identity"
},
We've found the entry for 'identity' service, and looking at the
endpoints we see that the internal endpoint is:
http://controller:5000/v3
The next step is version discovery, because the user wants version 3 of
the api. (I'm skipping possible optimizations that can be applied on
purpose)
To do version discovery, one does a GET on the endpoint found in the
catalog, so GET http://controller:5000/v3. That returns:
{
"versions": {
"values": [
{
"status": "stable",
"updated": "2016-04-04T00:00:00Z",
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
],
"id": "v3.6",
"links": [
{
"href": "https://api.example.com/identity/v3/;,
"rel": "self"
}
]
}
]
}
}
Here is the server-side bug. A GET on the discovery document on the
internal endpoint returned an endpoint for the public interface. That is
incorrect information. GET http://controller:5000/v3 should return either:
{
"versions": {
"values": [
{
"status": "stable",
"updated": "2016-04-04T00:00:00Z",
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
],
"id": "v3.6",
"links": [
{
"href": "http://controller:5000/v3/;,
"rel": "self"
}
]
}
]
}
}
or
{
"versions": {
"values": [
{
"status": "stable",
"updated": "2016-04-04T00:00:00Z",
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
],
"id": "v3.6",
"links": [
{
"href": "/v3/",
"rel": "self"
}
]
}
]
}
}
That's because the discovery documents are maps to what the user wants.
The user needs to be able to follow them automatically.
NOW - there is also a keystoneauth bug in play here that combined with
this server-side bug have produced the issue you have.
That is in the way we do the catalog / discovery URL join.
First of all - we do the catalog / discovery URL join because of a
frequently occuring deployment bug in the other direction. That is, it
is an EXTREMELY common misconfiguration for the discovery url to return
the internal url (this is what happens if