COA icon indicating copy to clipboard operation
COA copied to clipboard
verified publisher icon AJNOURI

Openstack Keystone version v2 and v3: what and when to use?

Open AJNOURI opened this issue 9 years ago • 2 comments

I am using openstack command with keystone v3 API (http://X.X.239.4:5000/v3/) as follow:

openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint list
+----------------------------------+-----------+--------------+----------------+
| ID                               | Region    | Service Name | Service Type   |
+----------------------------------+-----------+--------------+----------------+
| 3d3605860ed144b584b40b059210add7 | RegionOne | swift        | object-store   |
| 5a24c9b20a874d0aae89a3013ec9773a | RegionOne | heat         | orchestration  |
| 0f9ef30badc54af3984327fea4ba49b1 | RegionOne | nova_legacy  | compute_legacy |
| 544e4daa8f3b41648654876a0cad7b06 | RegionOne | ec2          | ec2            |
| 8f901675d8504a5dad0039093c2d18e4 | RegionOne | nova         | compute        |
| 4ea0ca4e7ed04d19a76d48a0977e7c6d | RegionOne | heat-cfn     | cloudformation |
| 7c269c7ae8664d1aa06014b30d55fe37 | RegionOne | glance       | image          |
| 735bfa3e5c2c4981a4a3f47d55b38d0f | RegionOne | neutron      | network        |
| 8685440e3d73467792b6c106a8d9087c | RegionOne | keystone     | identity       |
| 28e29f53d54c4590b79a80f3036270da | RegionOne | cinderv2     | volumev2       |
| b5b9a6fd79b241d3bdfb46d75d94c698 | RegionOne | cinder       | volume         |
| 397dfa4339e5419c9ce2e0ac9f2d7883 | RegionOne | s3           | s3             |
+----------------------------------+-----------+--------------+----------------+

But when inspecting keystone endpoint I got v2 as OS auth url

openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| adminurl     | http://X.X.239.4:35357/v2.0  |
| enabled      | True                             |
| id           | 8685440e3d73467792b6c106a8d9087c |
| internalurl  | http://X.X.239.4:5000/v2.0   |
| publicurl    | http://X.X.239.4:5000/v2.0   |
| region       | RegionOne                        |
| service_id   | 58c80619effb4cf7896d309d169d0f20 |
| service_name | keystone                         |
| service_type | identity                         |
+--------------+----------------------------------+

If I reissue the openstack command using v2 url (http://X.X.239.4:35357/v2.0) doesn't accept the url version:

openstack --os-auth-url http://X.X.239.4:35357/v2.0 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
Could not determine a suitable URL for the plugin

Are they both keystone authentication url versions serving different purpose?

AJNOURI avatar Nov 03 '16 00:11 AJNOURI

I've collected the result of some commands hopping to have better view of the big picture.

Identity version 2.0 (http://X.X.223.25:5000/v2.0)

selection_515

NOK = Could not determine a suitable URL for the plugin

Identity version 3 (http://X.X.223.25:5000/v3)

selection_514

  • NOK =Authorization failed the resource could not be found (HTTP 404)
  • NOK1=Authorization failed. Authorization failed the resource could not be found

Stange that keystone.conf doesn't seem to have any reference to any auth_url:

cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$

[DEFAULT] max_token_size = 16384 logging_exception_prefix = %(process)d TRACE %(name)s %(instance)s logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d logging_default_format_string = %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s logging_context_format_string = %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s debug = True admin_token = openstack rpc_backend = rabbit [assignment] driver = sql [auth] [cache] [catalog] driver = sql [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://root:[email protected]/keystone?charset=utf8 [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] admin_workers = 2 admin_bind_host = 162.242.223.25 [eventlet_server_ssl] [federation] [fernet_tokens] key_repository = /etc/keystone/fernet-keys/ [identity] driver = sql [identity_mapping] [kvs] [ldap] [matchmaker_redis] [matchmaker_ring] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_qpid] [oslo_messaging_rabbit] rabbit_userid = stackrabbit rabbit_password = openstack rabbit_hosts = 162.242.223.25 [oslo_middleware] [oslo_policy] [paste_deploy] config_file = /etc/keystone/keystone-paste.ini [policy] [resource] [revoke] [role] [saml] [signing] [ssl] [token] driver = sql [tokenless_auth] [trust]

AJNOURI avatar Nov 06 '16 02:11 AJNOURI

Knowing that:

  • openstack unified API supports both v3 and v2 for backwards compatibility.
  • python-keystoneclient only supports the Identity v2.0 API

-This explains why keystone client doesn't work with API identity v3 (NOK in 2nd table). -The following link may suggest that swift is not properly configured for v3 auth_url (NOK1 in 2nd table).

AJNOURI avatar Nov 06 '16 02:11 AJNOURI