Ask Your Question
0

Keystone: unable to use the public endpoint

asked 2015-06-07 17:35:05 -0500

jlausuch gravatar image

updated 2015-06-07 17:40:54 -0500

Hi,

I am trying to run commands from an external machine using the public API towards my OpenStack installation. This is the error I get for example when trying keystone commands:

keystone  user-list
Unable to establish connection to http://192.168.0.2:35357/v2.0/users
  • The public ip range is 172.30.9.0/24 and the OS management is 192.168.0.2/24.
  • The env var OS_AUTH_URL is set to http://172.30.9.70:5000/v2.0

Only when I configure an IP in the mgmt range from my external machine everything works. Actually, keystone catalog shows (along with other things):

Service: identity
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |  http://192.168.0.2:35357/v2.0   |
|      id     | 341bfbcf86f44f219357f8527c3c8b15 |
| internalURL |   http://192.168.0.2:5000/v2.0   |
|  publicURL  |   http://172.18.0.70:5000/v2.0   |
|    region   |            RegionOne             |
+-------------+----------------------------------+

Also,

$ keystone discover
Keystone found at http://172.18.0.70:5000/v2.0
    - supports version v2.0 (stable) here http://172.18.0.70:5000/v2.0/
        - and OS-REVOKE: OpenStack Revoke API
        - and OS-FEDERATION: OpenStack Federation APIs
        - and OS-KSCRUD: OpenStack Keystone User CRUD
        - and OS-EC2: OpenStack EC2 API
        - and OS-SIMPLE-CERT: OpenStack Simple Certificate API

But I want to avoid having an IP in the OS-mgmt range on my external machine. What am I missing here, if I'm telling OS to use 172.30.9.0/24 with OS_AUTH_URL ?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-06-07 23:27:49 -0500

updated 2015-06-07 23:34:29 -0500

You can't use the public endpoint as keystone client is hardcoded to use admin endpoint. OS_AUTH_URL is only used to get the initial token, after that the admin endpoint in the catalog is used.

If you want a work around , you can do

 keystone token-get
 Once you get the token, do 
keystone --os-token token_got_in_previous_step  --os-service-endpoint  your_public_endpoint user-list 

BTW please use openstack client as keystone command line client is deprecated.

BTW we are working on fixing this by adding one more environment variable which can be used to select the endpoint. This will be available only for keystone v3 apis using openstack client. I will update once that fix lands.

https://review.openstack.org/#/c/185193/

edit flag offensive delete link more
0

answered 2015-06-08 03:24:04 -0500

jlausuch gravatar image

Ok. That clarifies my question. Thanks!

My problem is that I run a tool which uses keystone CLI internally, and cannot change that code (at least easily) using --os-service-endpoint. I was trying to reproduce the problem for this example using a simple keystone command.

So, I guess my only option for now is to have an IP in the OS-mgmt network, right?

edit flag offensive delete link more

Comments

Yes. This is only for keystone client. All other clients use public endpoint

Haneef Ali gravatar imageHaneef Ali ( 2015-06-08 11:01:52 -0500 )edit

Ok. Thanks a lot!

jlausuch gravatar imagejlausuch ( 2015-06-08 11:28:49 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-06-07 17:35:05 -0500

Seen: 1,599 times

Last updated: Jun 08 '15