[Yahoo-eng-team] [Bug 1488347] [NEW] Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware

Chaoyi Huang Mon, 24 Aug 2015 23:46:13 -0700

Public bug reported:

Issue: Can't specify identity endpoint among several keystone servers in
keystonemiddleware


A prototype was executed to verify that KeyStone fernet token can work
in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions):
https://etherpad.opnfv.org/p/multisite_identity_management.

the requirement is "a user should, using a single authentication point
be able to manage virtual resources spread over multiple OpenStack
regions"

We have two regions: Kista and Solna, each one with KeyStone server
installed, these two keystone servers will have MySql cluster as the
backend, and the master MySql cluster in Kista, the slave MySql cluster
in Solna  which will be configured for aync-replication from the Kista
MySql cluster, therefore the data in KeyStone database.

root@51fa2177d59d:~# openstack endpoint list
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| ID                               | Region | Service Name | Service Type | 
Enabled | Interface | URL                      |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
| 09977a67a5fd4231bf54bfdbfc311b4e | Solna  | keystone     | identity     | 
True    | internal  | http://172.17.0.98:5000  |
| 18389f1ff42640cf905351a7f9b8a6f7 | Kista  | glance       | image        | 
True    | internal  | http://172.17.0.41:9292  |
| 3bd662e362e24f45a9db2b77ad0682bb | Solna  | glance       | image        | 
True    | internal  | http://172.17.0.119:9292 |
| 425b14d499264aa1bad8170a99afce88 | Kista  | keystone     | identity     | 
True    | admin     | http://172.17.0.36:35357 |
| 60a02a99078642d0974843323bbb8836 | Solna  | glance       | image        | 
True    | public    | http://172.17.0.119:9292 |
| 712d42d06ade4fedb8820e6f6ed33574 | Kista  | glance       | image        | 
True    | public    | http://172.17.0.41:9292  |
| 8000a62a8406437dad4759960bad837f | Kista  | keystone     | identity     | 
True    | public    | http://172.17.0.36:5000  |
| a7ec590712364e9f876f0b82d1879a99 | Kista  | keystone     | identity     | 
True    | internal  | http://172.17.0.36:5000  |
| b253565ee000417ab9b3d7ab3f4b4d48 | Solna  | keystone     | identity     | 
True    | admin     | http://172.17.0.98:35357 |
| bf9d05de9be64f5bb886959eb6bb367d | Solna  | glance       | image        | 
True    | admin     | http://172.17.0.119:9292 |
| d1cb2f7d7d594199909b14a0004f37fe | Kista  | glance       | image        | 
True    | admin     | http://172.17.0.41:9292  |
| eab9fbcb129741728bc72f36b72e27e2 | Solna  | keystone     | identity     | 
True    | public    | http://172.17.0.98:5000  |
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+

Even the glance in Solna is configured with Solna KeyStone server for
the fernet token validation locally, the token validation request was
still routed to Kista KeyStone, it doesn't work as expected.

The following dock describe the issue in detail:
https://docs.google.com/document/d/1pvYWQprRH3jnzX2j-
zQwAErdPWg9zwkguSyLx1EBKas/edit

And this doc provides a patch to show how to make the configuration item
being in effect for token validation locally:
https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit#

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1488347

Title:
  Can't specify identity endpoint for token validation among several
  keystone servers in  keystonemiddleware

Status in Keystone:
  New

Bug description:
  Issue: Can't specify identity endpoint among several keystone servers
  in  keystonemiddleware

  A prototype was executed to verify that KeyStone fernet token can work
  in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack
  regions): https://etherpad.opnfv.org/p/multisite_identity_management.

  the requirement is "a user should, using a single authentication point
  be able to manage virtual resources spread over multiple OpenStack
  regions"

  We have two regions: Kista and Solna, each one with KeyStone server
  installed, these two keystone servers will have MySql cluster as the
  backend, and the master MySql cluster in Kista, the slave MySql
  cluster in Solna  which will be configured for aync-replication from
  the Kista MySql cluster, therefore the data in KeyStone database.

  root@51fa2177d59d:~# openstack endpoint list
  
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
  | ID                               | Region | Service Name | Service Type | 
Enabled | Interface | URL                      |
  
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+
  | 09977a67a5fd4231bf54bfdbfc311b4e | Solna  | keystone     | identity     | 
True    | internal  | http://172.17.0.98:5000  |
  | 18389f1ff42640cf905351a7f9b8a6f7 | Kista  | glance       | image        | 
True    | internal  | http://172.17.0.41:9292  |
  | 3bd662e362e24f45a9db2b77ad0682bb | Solna  | glance       | image        | 
True    | internal  | http://172.17.0.119:9292 |
  | 425b14d499264aa1bad8170a99afce88 | Kista  | keystone     | identity     | 
True    | admin     | http://172.17.0.36:35357 |
  | 60a02a99078642d0974843323bbb8836 | Solna  | glance       | image        | 
True    | public    | http://172.17.0.119:9292 |
  | 712d42d06ade4fedb8820e6f6ed33574 | Kista  | glance       | image        | 
True    | public    | http://172.17.0.41:9292  |
  | 8000a62a8406437dad4759960bad837f | Kista  | keystone     | identity     | 
True    | public    | http://172.17.0.36:5000  |
  | a7ec590712364e9f876f0b82d1879a99 | Kista  | keystone     | identity     | 
True    | internal  | http://172.17.0.36:5000  |
  | b253565ee000417ab9b3d7ab3f4b4d48 | Solna  | keystone     | identity     | 
True    | admin     | http://172.17.0.98:35357 |
  | bf9d05de9be64f5bb886959eb6bb367d | Solna  | glance       | image        | 
True    | admin     | http://172.17.0.119:9292 |
  | d1cb2f7d7d594199909b14a0004f37fe | Kista  | glance       | image        | 
True    | admin     | http://172.17.0.41:9292  |
  | eab9fbcb129741728bc72f36b72e27e2 | Solna  | keystone     | identity     | 
True    | public    | http://172.17.0.98:5000  |
  
+----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+

  Even the glance in Solna is configured with Solna KeyStone server for
  the fernet token validation locally, the token validation request was
  still routed to Kista KeyStone, it doesn't work as expected.

  The following dock describe the issue in detail:
  https://docs.google.com/document/d/1pvYWQprRH3jnzX2j-
  zQwAErdPWg9zwkguSyLx1EBKas/edit

  And this doc provides a patch to show how to make the configuration
  item being in effect for token validation locally:
  
https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit#

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1488347/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1488347] [NEW] Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware

Reply via email to