Public bug reported: Issue: Can't specify identity endpoint among several keystone servers in keystonemiddleware
A prototype was executed to verify that KeyStone fernet token can work in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions): https://etherpad.opnfv.org/p/multisite_identity_management. the requirement is "a user should, using a single authentication point be able to manage virtual resources spread over multiple OpenStack regions" We have two regions: Kista and Solna, each one with KeyStone server installed, these two keystone servers will have MySql cluster as the backend, and the master MySql cluster in Kista, the slave MySql cluster in Solna which will be configured for aync-replication from the Kista MySql cluster, therefore the data in KeyStone database. root@51fa2177d59d:~# openstack endpoint list +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ | 09977a67a5fd4231bf54bfdbfc311b4e | Solna | keystone | identity | True | internal | http://172.17.0.98:5000 | | 18389f1ff42640cf905351a7f9b8a6f7 | Kista | glance | image | True | internal | http://172.17.0.41:9292 | | 3bd662e362e24f45a9db2b77ad0682bb | Solna | glance | image | True | internal | http://172.17.0.119:9292 | | 425b14d499264aa1bad8170a99afce88 | Kista | keystone | identity | True | admin | http://172.17.0.36:35357 | | 60a02a99078642d0974843323bbb8836 | Solna | glance | image | True | public | http://172.17.0.119:9292 | | 712d42d06ade4fedb8820e6f6ed33574 | Kista | glance | image | True | public | http://172.17.0.41:9292 | | 8000a62a8406437dad4759960bad837f | Kista | keystone | identity | True | public | http://172.17.0.36:5000 | | a7ec590712364e9f876f0b82d1879a99 | Kista | keystone | identity | True | internal | http://172.17.0.36:5000 | | b253565ee000417ab9b3d7ab3f4b4d48 | Solna | keystone | identity | True | admin | http://172.17.0.98:35357 | | bf9d05de9be64f5bb886959eb6bb367d | Solna | glance | image | True | admin | http://172.17.0.119:9292 | | d1cb2f7d7d594199909b14a0004f37fe | Kista | glance | image | True | admin | http://172.17.0.41:9292 | | eab9fbcb129741728bc72f36b72e27e2 | Solna | keystone | identity | True | public | http://172.17.0.98:5000 | +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ Even the glance in Solna is configured with Solna KeyStone server for the fernet token validation locally, the token validation request was still routed to Kista KeyStone, it doesn't work as expected. The following dock describe the issue in detail: https://docs.google.com/document/d/1pvYWQprRH3jnzX2j- zQwAErdPWg9zwkguSyLx1EBKas/edit And this doc provides a patch to show how to make the configuration item being in effect for token validation locally: https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit# ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1488347 Title: Can't specify identity endpoint for token validation among several keystone servers in keystonemiddleware Status in Keystone: New Bug description: Issue: Can't specify identity endpoint among several keystone servers in keystonemiddleware A prototype was executed to verify that KeyStone fernet token can work in multi-site OPNFV cloud(in OpenStack terms, multi-OpenStack regions): https://etherpad.opnfv.org/p/multisite_identity_management. the requirement is "a user should, using a single authentication point be able to manage virtual resources spread over multiple OpenStack regions" We have two regions: Kista and Solna, each one with KeyStone server installed, these two keystone servers will have MySql cluster as the backend, and the master MySql cluster in Kista, the slave MySql cluster in Solna which will be configured for aync-replication from the Kista MySql cluster, therefore the data in KeyStone database. root@51fa2177d59d:~# openstack endpoint list +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ | 09977a67a5fd4231bf54bfdbfc311b4e | Solna | keystone | identity | True | internal | http://172.17.0.98:5000 | | 18389f1ff42640cf905351a7f9b8a6f7 | Kista | glance | image | True | internal | http://172.17.0.41:9292 | | 3bd662e362e24f45a9db2b77ad0682bb | Solna | glance | image | True | internal | http://172.17.0.119:9292 | | 425b14d499264aa1bad8170a99afce88 | Kista | keystone | identity | True | admin | http://172.17.0.36:35357 | | 60a02a99078642d0974843323bbb8836 | Solna | glance | image | True | public | http://172.17.0.119:9292 | | 712d42d06ade4fedb8820e6f6ed33574 | Kista | glance | image | True | public | http://172.17.0.41:9292 | | 8000a62a8406437dad4759960bad837f | Kista | keystone | identity | True | public | http://172.17.0.36:5000 | | a7ec590712364e9f876f0b82d1879a99 | Kista | keystone | identity | True | internal | http://172.17.0.36:5000 | | b253565ee000417ab9b3d7ab3f4b4d48 | Solna | keystone | identity | True | admin | http://172.17.0.98:35357 | | bf9d05de9be64f5bb886959eb6bb367d | Solna | glance | image | True | admin | http://172.17.0.119:9292 | | d1cb2f7d7d594199909b14a0004f37fe | Kista | glance | image | True | admin | http://172.17.0.41:9292 | | eab9fbcb129741728bc72f36b72e27e2 | Solna | keystone | identity | True | public | http://172.17.0.98:5000 | +----------------------------------+--------+--------------+--------------+---------+-----------+--------------------------+ Even the glance in Solna is configured with Solna KeyStone server for the fernet token validation locally, the token validation request was still routed to Kista KeyStone, it doesn't work as expected. The following dock describe the issue in detail: https://docs.google.com/document/d/1pvYWQprRH3jnzX2j- zQwAErdPWg9zwkguSyLx1EBKas/edit And this doc provides a patch to show how to make the configuration item being in effect for token validation locally: https://docs.google.com/document/d/1258g0VTC4wktevo2ymS7SaNhDeY8-S2QWY45them7ZM/edit# To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1488347/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp