settingsLogin | Registersettings

[Openstack-operators] [Pike][Keystone] Multiple Keystone Endpoints?

0 votes

Hi,

Is it possible to have both v2.0 and v3 endpoints for Keystone? I’m trying to integrate a backup software into Swift, and it requires Keystone 2.0. I added the new endpoints fine, but I’m getting authentication/authorization errors:

My Endpoints
gvicopnstk01:~ # openstack endpoint list | grep -i identity
| 08b3ba7072ed44df9e7c90e99f8e71d9 | regionOne | keystone | identity | True | internal | http://gvicopnstk01:35357/v2.0 |
| 55d52d6b6cb34d33979cd3c083416d44 | RegionOne | keystone | identity | True | internal | http://gvicopnstk01:5000/v3/ |
| 6b5958647c1744a78657f2c8089ee97d | RegionOne | keystone | identity | True | admin | http://gvicopnstk01:35357/v3/ |
| 70c939d2248f4845b1d0c9e8b7c7cf09 | regionOne | keystone | identity | True | admin | http://gvicopnstk01:35357/v2.0 |
| 7e4d1c794ed1432ca28ea60b947fdc7a | RegionOne | keystone | identity | True | public | http://gvicopnstk01:5000/v3/ |
| f46214dc916947d7a557a2e1b9dc65ca | regionOne | keystone | identity | True | public | http://gvicopnstk01:5000/v2.0 |

Using v2.0 AUTHURL
gvicopnstk01:~ # export OS
AUTH_URL=http://gvicopnstk01:35357/v2.0
gvicopnstk01:~ # swift stat
Authorization Failure. Authorization failed: (http://gvicopnstk01:35357/v2.0/auth/tokens): The resource could not be found. (HTTP 404) (Request-ID: req-ff14bc2d-dbbd-41ed-b81e-73c9397ea1d0)
gvicopnstk01:~ # openstack endpoint list
Cannot use v2 authentication with domain scope

keystone-wsgi-public.log when application tries to hit 2.0 endpoint
2017-10-26 08:43:59.255 21561 WARNING oslolog.versionutils [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Deprecated: authenticate of the v2 Authentication APIs is deprecated as of Mitaka in favor of a similar function in the v3 Authentication APIs and may be removed in T.
2017-10-26 08:43:59.714 21561 WARNING keystone.common.wsgi [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.241.121: Unauthorized: The request you have made requires authentication.
2017-10-26 08:44:04.728 21558 INFO keystone.common.wsgi [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] POST http://192.168.241.114:5000/v2.0/tokens
2017-10-26 08:44:04.729 21558 WARNING oslo
log.versionutils [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Deprecated: authenticate of the v2 Authentication APIs is deprecated as of Mitaka in favor of a similar function in the v3 Authentication APIs and may be removed in T.
2017-10-26 08:44:05.185 21558 WARNING keystone.common.wsgi [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.241.121: Unauthorized: The request you have made requires authentication.
2017-10-26 08:52:34.534 21557 INFO keystone.common.wsgi [req-fa71683e-d4a3-4656-8eea-421caa10f841 - - - - -] POST http://192.168.241.114:5000/v2.0/tokens

When the application tried with v3 it just bombed out, after I added the v2.0 endpoints it connects but says invalid username/password and it fails.

Do I need to now instruct Swift to use the v2.0 endpoint inside swift.conf?

Thanks,
Andrew Wojnarek | Sr. Systems Engineer | ATS Group, LLC
mobile 717.856.6901 | andy.wojnarek@TheATSGroup.comandy.wojnarek@TheATSGroup.com
Galileo Performance Explorer Bloghttp://galileosuite.com/blog/ Offers Deep Insights for Server/Storage Systems


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
asked Oct 26, 2017 in openstack-operators by Andy_Wojnarek (440 points)   3 3

1 Response

0 votes

On 10/26/2017 08:10 AM, Andy Wojnarek wrote:

Hi,

 

Is it possible to have both v2.0 and v3 endpoints for Keystone? I’m
trying to integrate a backup software into Swift, and it requires
Keystone 2.0. I added the new endpoints fine, but I’m getting
authentication/authorization errors:

 

My Endpoints

gvicopnstk01:~ # openstack endpoint list | grep -i identity

| 08b3ba7072ed44df9e7c90e99f8e71d9 | regionOne | keystone     |
identity        | True    | internal  |
http://gvicopnstk01:35357/v2.0                  |

| 55d52d6b6cb34d33979cd3c083416d44 | RegionOne | keystone     |
identity        | True    | internal  |
http://gvicopnstk01:5000/v3/                    |

| 6b5958647c1744a78657f2c8089ee97d | RegionOne | keystone     |
identity        | True    | admin     |
http://gvicopnstk01:35357/v3/                   |

| 70c939d2248f4845b1d0c9e8b7c7cf09 | regionOne | keystone     |
identity        | True    | admin     |
http://gvicopnstk01:35357/v2.0                  |

| 7e4d1c794ed1432ca28ea60b947fdc7a | RegionOne | keystone     |
identity        | True    | public    |
http://gvicopnstk01:5000/v3/                    |

| f46214dc916947d7a557a2e1b9dc65ca | regionOne | keystone     |
identity        | True    | public    |
http://gvicopnstk01:5000/v2.0                   |

 

 

Using v2.0 AUTHURL_

gvicopnstk01:~ # export OSAUTHURL=http://gvicopnstk01:35357/v2.0

gvicopnstk01:~ # swift stat

Authorization Failure. Authorization failed:
(http://gvicopnstk01:35357/v2.0/auth/tokens): The resource could not
be found. (HTTP 404) (Request-ID:
req-ff14bc2d-dbbd-41ed-b81e-73c9397ea1d0)

gvicopnstk01:~ # openstack endpoint list

Cannot use v2 authentication with domain scope

 

This is resulting in a 404 Not Found because the authentication endpoint
changed from v2.0 to v3. For v2.0 it is /v2.0/tokens/ and for v3 it's
/v3/auth/tokens. Also, v2.0 doesn't have the concept of domains.
Multiple domains only really exist in the v3 API. As a result, the v2.0
API is unable to understand or issue domain-scoped tokens. It can also
only authenticate users who are in the default domain as defined in
keystone's configuration file [0].

What happens if you set STAUTHVERSION=3 [1]?

[0]
https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id
[1]
https://github.com/openstack/python-swiftclient/blob/0982791db2ccb851f277ffa653065e4021e52b3f/doc/source/cli/index.rst#authentication

keystone-wsgi-public.log when application tries to hit 2.0 endpoint

2017-10-26 08:43:59.255 21561 WARNING oslo_log.versionutils
[req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Deprecated:
authenticate of the v2 Authentication APIs is deprecated as of Mitaka
in favor of a similar function in the v3 Authentication APIs and may
be removed in T.

2017-10-26 08:43:59.714 21561 WARNING keystone.common.wsgi
[req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Authorization
failed. The request you have made requires authentication. from
192.168.241.121: Unauthorized: The request you have made requires
authentication.

2017-10-26 08:44:04.728 21558 INFO keystone.common.wsgi
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] POST
http://192.168.241.114:5000/v2.0/tokens

2017-10-26 08:44:04.729 21558 WARNING oslo_log.versionutils
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Deprecated:
authenticate of the v2 Authentication APIs is deprecated as of Mitaka
in favor of a similar function in the v3 Authentication APIs and may
be removed in T.

2017-10-26 08:44:05.185 21558 WARNING keystone.common.wsgi
[req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Authorization
failed. The request you have made requires authentication. from
192.168.241.121: Unauthorized: The request you have made requires
authentication.

2017-10-26 08:52:34.534 21557 INFO keystone.common.wsgi
[req-fa71683e-d4a3-4656-8eea-421caa10f841 - - - - -] POST
http://192.168.241.114:5000/v2.0/tokens

 

When the application tried with v3 it just bombed out, after I added
the v2.0 endpoints it connects but says invalid username/password and
it fails.

 

Do I need to now instruct Swift to use the v2.0 endpoint inside
swift.conf?

 

Thanks,

Andrew Wojnarek |  Sr. Systems Engineer    | ATS Group, LLC

mobile 717.856.6901 | andy.wojnarek@TheATSGroup.com
andy.wojnarek@TheATSGroup.com

Galileo Performance Explorer Blog
 Offers Deep Insights for
Server/Storage Systems


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

responded Oct 26, 2017 by Lance_Bragstad (11,080 points)   2 3 6
...