Ask Your Question

Get keystone auth token via Horizon URL

asked 2014-10-14 21:52:53 -0500

ed gravatar image

updated 2014-10-14 21:54:34 -0500

I'm on the very early stages of developing an app for android to manage openstack services and would like to get the user credentials/tokens on keystone to get data and execute commands via the horizon URL. I'm using IceHouse on Ubuntu 14.04.

In my particular use case I have keystone running on my internal server "http://localhost:5000/v3/auth/tokens" which would allow me to use my app fine with JSON to get information from other services and execute commands however I'd have to be on the same network as my server for it to work.

On the other hand I have my horizon URL published externally on the internet at the address "" which is available from anywhere and gives me access to my OpenStack services fine via browser on a desktop. I'd like to do the same on android, would it be possible? Is there a way for my app to send JSON requests to horizon at and get the authentication tokens from keystone indirectly?

I should mention I'm not a very experienced developer and any help would be amazing! Thanks

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-10-22 20:27:09 -0500

ed gravatar image

updated 2014-10-22 20:29:39 -0500

I found a way using my current NGINX reverse proxy, just added a custom location to my horizon site:

 location ^~ /authapi/ {
          proxy_pass http://keystone:5000/;

And now I can access keystone externally on and get the endpoints via JSON however I still get them as:

adminURL: "http://internal_addr:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
publicURL: "http://internal_addr:8774/v2/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

I can create separate custom locations on NGINX for each endpoint but how do I update the endpoints on the keystone DB so the internal services still communicate using the internal address but just external clients access the externally available endpoints? I believe internally they'll still use whatever is on "publicURL", right?

Would there be any easier way of accomplishing external access?

edit flag offensive delete link more

answered 2014-10-15 13:01:33 -0500

larsks gravatar image

An OpenStack deployment would normally expose the Keystone API to wherever people expect to be running OpenStack clients. That is, rather than hosting keystone at localhost, you would expose the Keystone API, and you would have your app talk directly to this API.

You would not attempt to execute commands via Horizon; you would talk to the OpenStack REST APIs directly. Horizon is only meant as a user interface, not as an application interface.

The REST APIs are documented here.

edit flag offensive delete link more


So it's not possible to proxy the API requests from a web server externally accessible on port 443 (HTTPS) to an internal keystone server on port 5000? Would there be any alternative scenario where it's possible to access the APIs without accessing directly keystone in a secure way?

ed gravatar imageed ( 2014-10-19 20:54:19 -0500 )edit

In other words, I'm working on creating an app similar to AWS Console ( ) but for OpenStack. It allows me to access all my AWS environment from anywhere and I'd like to make an OpenStack app to do exactly that.

ed gravatar imageed ( 2014-10-19 20:58:20 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-10-14 21:52:53 -0500

Seen: 1,945 times

Last updated: Oct 22 '14