Ask Your Question

glance authentication with keystone

asked 2014-09-15 11:18:33 -0500

Arumon gravatar image

updated 2014-09-16 13:16:35 -0500

mpetason gravatar image


I have Three different networks available to segragate admin, internal and public. I have created keystone endpoints with three different urls respectively. Now when i am configuring glance i am getting confused which url needs to be configured on glance api and registry to authenticate with keystone. As my public and internal urls are listening on the same port number 5000 which one should i use? Please help me to understand the difference between the configuration options auth_uri, auth_host, auth_port.

openstack-config --set /etc/glance/glance-api.conf keystone_authtoken \
auth_uri http://controller:5000
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken \
auth_host controller
openstack-config --set /etc/glance/glance-api.conf keystone_authtoken \
auth_port 35357

Regards, Arumon

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-09-16 13:37:39 -0500

updated 2014-09-17 11:39:36 -0500

In keystone v2, there are 2 sets of APIs.

Public API's which are listening on port 5000 allows only token and get tenant operation

Admin APIS which are listening on port 35357 allows all the operation.

If you want to do user-create, you can't use public endpoint in v2.0, it has to be admin endpoint since that is the default configuration. In keystone v3 api, there is no distinction between public and admin endpoint ( This is based on default paste.ini).

As a deployer you can change the default paste.ini and allow only specific operations in public port

edit flag offensive delete link more


+1 For the brilliant explanation

Syed Awais Ali gravatar imageSyed Awais Ali ( 2014-09-17 00:47:28 -0500 )edit

Thanks!!! for good answer.

SGPJ gravatar imageSGPJ ( 2014-09-22 09:44:21 -0500 )edit

About time that was cleared up, simply put and clear. Thank you : ) From a search meta perspective, worth noting that in addition to glance, this is true for any service authenticating with keystone: neutron, cinder, etc

Marten Hauville gravatar imageMarten Hauville ( 2014-12-19 04:34:49 -0500 )edit

answered 2014-09-15 12:01:15 -0500

larsks gravatar image

First, auth_uri and auth_host, auth_port, etc. are simply two different ways of providing the same information. That is, if you do not provide auth_uri, it is generated like this:


Regarding the various endpoints, it doesn't particularly matter which one you use as long as Glance can reach it. You would typically point Glance at the "internal" address of your Keystone server. Looking at the documentation, it looks like Glance wants the "non-admin" API, which is on port 5000.

edit flag offensive delete link more


Thanks for the reply larsks. My confusion is why two different ways of providing the same information. The auth_uri is pointing to port 5000 and auth_port is pointing to 35357, hence suspect there is some specific reason.

Arumon gravatar imageArumon ( 2014-09-15 13:19:01 -0500 )edit

If you look at the keystone endpoints they have different labels. Public/Private/Admin. The ports + host addresses give you a way of limiting access with a firewall or by putting them on a network that is only accessible by certain users.

mpetason gravatar imagempetason ( 2014-09-16 13:39:09 -0500 )edit

And another great clarifying point. This has been confusing for the longest time, thanks : )

Marten Hauville gravatar imageMarten Hauville ( 2014-12-19 04:35:53 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-09-15 11:18:33 -0500

Seen: 676 times

Last updated: Sep 17 '14