Ask Your Question

difference between keystone port 5000 and 35357 ?

asked 2015-06-02 06:37:21 -0500

deeghuge gravatar image

Hello, What is difference between keystone port 5000[public port] and 35357[admin port]. I am not able to locate the details of what things works with 5000 and 35357. What is difference between these port and when to use which port.

Which port is required if i am planning use only swift with keystone ?

edit retag flag offensive close merge delete

5 answers

Sort by ยป oldest newest most voted

answered 2015-06-02 11:46:31 -0500

updated 2015-06-02 21:09:09 -0500

If you are using keystone v3, it doesn' t matter as all the operations are available in both port 5000 and 35357. In v2 only few operations are available at port 5000

That link is missing couple of apis.

edit flag offensive delete link more


just wondering, if in v3 both ports offer same functionality then why there are two different port ?

deeghuge gravatar imagedeeghuge ( 2015-06-03 10:49:15 -0500 )edit

Backward compatibility. Since v2 listens on 2 ports, v3 too has to listen on both the ports till v2 is removed fully. By default there is no difference, that doesn't mean you can't customize which apis are allowed in each ports.

Haneef Ali gravatar imageHaneef Ali ( 2015-06-03 13:57:37 -0500 )edit

answered 2015-06-02 07:52:22 -0500

SGPJ gravatar image

Please find answer from Haneef Ali:

1) No, there is no difference. Only certain operations are exposed at 5000 and all of them except one is exposed at 35357. In most of the cases you will be fine if you just use 35357

2) You should be authorized to invoke any identity operations. Authorization is defined by the role that the token have. Unscoped token doesn't have any role. So using unsciped token you cannot invoke any opearation.

3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

Update 1:

I didn't even notice this so far. I believe it is wrong design

5000:/v2.0/tenants -- Maps to "get_projects_for_token" . This doesn't even care about scope of token.

35357:/v2.0/tenants -- Maps to get_all_tenants which requires scoped token

BTW policy file is used only for v3 apis. These are v2.0 apis, and most of the v2.0 api just use one line from the policy file which is "admin" definition in the policy file


edit flag offensive delete link more

answered 2015-06-02 08:22:39 -0500

Vinoth gravatar image

Admin-role API ---> 35357

Member-role API -----> 5000

edit flag offensive delete link more

answered 2017-06-20 09:56:55 -0500

updated 2017-06-20 10:32:21 -0500

Keystone identity API provides accces to a user at privilage some levels. Just rizz though the concepts of endpoints you will get to know the difference.

For the time being understand that --

1) PORT 35357 is used for authentication for accesing admin privilages via keystone and

2) PORT 5000 is used for public authentication i.e for end users.

Which port is required if i am planning use only swift with keystone ?

Answer is PORT 5000

edit flag offensive delete link more

answered 2017-05-23 04:15:49 -0500

amirdhaoui gravatar image

I wonder how to change port 5000 to http/https ?

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-06-02 06:37:21 -0500

Seen: 15,891 times

Last updated: Jun 20 '17