Openstack Keystone version v2 and v3: what and when to use?
I am using openstack command with keystone v3 API (http://X.X.239.4:5000/v3/) as follow:
openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint list
+----------------------------------+-----------+--------------+----------------+
| ID | Region | Service Name | Service Type |
+----------------------------------+-----------+--------------+----------------+
| 3d3605860ed144b584b40b059210add7 | RegionOne | swift | object-store |
| 5a24c9b20a874d0aae89a3013ec9773a | RegionOne | heat | orchestration |
| 0f9ef30badc54af3984327fea4ba49b1 | RegionOne | nova_legacy | compute_legacy |
| 544e4daa8f3b41648654876a0cad7b06 | RegionOne | ec2 | ec2 |
| 8f901675d8504a5dad0039093c2d18e4 | RegionOne | nova | compute |
| 4ea0ca4e7ed04d19a76d48a0977e7c6d | RegionOne | heat-cfn | cloudformation |
| 7c269c7ae8664d1aa06014b30d55fe37 | RegionOne | glance | image |
| 735bfa3e5c2c4981a4a3f47d55b38d0f | RegionOne | neutron | network |
| 8685440e3d73467792b6c106a8d9087c | RegionOne | keystone | identity |
| 28e29f53d54c4590b79a80f3036270da | RegionOne | cinderv2 | volumev2 |
| b5b9a6fd79b241d3bdfb46d75d94c698 | RegionOne | cinder | volume |
| 397dfa4339e5419c9ce2e0ac9f2d7883 | RegionOne | s3 | s3 |
+----------------------------------+-----------+--------------+----------------+
But when inspecting keystone endpoint I got v2 as OS auth url
openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| adminurl | http://X.X.239.4:35357/v2.0 |
| enabled | True |
| id | 8685440e3d73467792b6c106a8d9087c |
| internalurl | http://X.X.239.4:5000/v2.0 |
| publicurl | http://X.X.239.4:5000/v2.0 |
| region | RegionOne |
| service_id | 58c80619effb4cf7896d309d169d0f20 |
| service_name | keystone |
| service_type | identity |
+--------------+----------------------------------+
If I reissue the openstack command using v2 url (http://X.X.239.4:35357/v2.0) doesn't accept the url version:
openstack --os-auth-url http://X.X.239.4:35357/v2.0 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
Could not determine a suitable URL for the plugin
Are they both keystone authentication url versions serving different purpose?
I've collected the result of some commands hopping to have better view of the big picture.
Identity version 2.0 (http://X.X.223.25:5000/v2.0)

NOK = Could not determine a suitable URL for the plugin
Identity version 3 (http://X.X.223.25:5000/v3)

- NOK =Authorization failed the resource could not be found (HTTP 404)
- NOK1=Authorization failed. Authorization failed the resource could not be found
Stange that keystone.conf doesn't seem to have any reference to any auth_url:
cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$
[DEFAULT] max_token_size = 16384 logging_exception_prefix = %(process)d TRACE %(name)s %(instance)s logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d logging_default_format_string = %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s logging_context_format_string = %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s debug = True admin_token = openstack rpc_backend = rabbit [assignment] driver = sql [auth] [cache] [catalog] driver = sql [cors] [cors.subdomain] [credential] [database] connection = mysql+pymysql://root:[email protected]/keystone?charset=utf8 [domain_config] [endpoint_filter] [endpoint_policy] [eventlet_server] admin_workers = 2 admin_bind_host = 162.242.223.25 [eventlet_server_ssl] [federation] [fernet_tokens] key_repository = /etc/keystone/fernet-keys/ [identity] driver = sql [identity_mapping] [kvs] [ldap] [matchmaker_redis] [matchmaker_ring] [memcache] [oauth1] [os_inherit] [oslo_messaging_amqp] [oslo_messaging_qpid] [oslo_messaging_rabbit] rabbit_userid = stackrabbit rabbit_password = openstack rabbit_hosts = 162.242.223.25 [oslo_middleware] [oslo_policy] [paste_deploy] config_file = /etc/keystone/keystone-paste.ini [policy] [resource] [revoke] [role] [saml] [signing] [ssl] [token] driver = sql [tokenless_auth] [trust]
- openstack unified API supports both v3 and v2 for backwards compatibility.
- python-keystoneclient only supports the Identity v2.0 API
-This explains why keystone client doesn't work with API identity v3 (NOK in 2nd table). -The following link may suggest that swift is not properly configured for v3 auth_url (NOK1 in 2nd table).