Ask Your Question

When the internal endpoint will be used ?

asked 2013-12-20 22:00:31 -0500

anonymous user


I noticed most of the connection between components are used publicURL endpoint ? But in keystone service catalog it contains three type endpoint urls, which are publicURL, internalURL and adminURL. Could I configure the components to use internalURL to communicate with each other to isolate them ? And what is the destination to contains those three type URL in service catalog ?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-03-27 18:57:19 -0500

9lives gravatar image

By lookin at the keystone-paste.ini , we can see the difference between public api and admin api

pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension public_service

pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension s3_extension crud_extension admin_service

major difference is admin api use the crud_extension and admin_service , the first one is for the user who has admin_role to bootstrap the keystone, the second one is for start the WSGI server listen on the admin port specified i the keystone.conf.

For the other projects who use the keystone as auth strategy, they are the keystone service consumers, so i think they should all use the public api not admin_api, ie. they will use the public url/internal url to interact with keystone.

Hope that helps!


edit flag offensive delete link more

answered 2013-12-20 23:43:56 -0500

dheeru gravatar image

updated 2014-03-27 17:13:30 -0500

smaffulli gravatar image

There are different API endpoints exposed by each service. Each of these service expose different or subset of APIs. APIs available through ADMIN url may not be available through public APIs.

E.g following are different endpoints.


Here publicurl and internalurl are same and adminurl is different. So APIs available in adminurl are not available in public/internal. In some case all public, internal and admin are same. It means to say that there is not different among them.

I'm not quite clear from you question on which component you trying this. Is it keystone or nova or some other component. Also what is the use case you are trying to solve? Is it for understanding these URLs or are you trying to solve some real world use case?

edit flag offensive delete link more


Hi, dheeru, thanks for your answer. I know that the different urls have different access authority. But I don't know when or where will use those different urls. E.g, which kind of urls will be used when nova exchange messages with keystone or neutron ?

huwei-xtu gravatar imagehuwei-xtu ( 2013-12-21 00:41:19 -0500 )edit

Got it. At least according to my understanding except keystone, URL endpoints for all the components are same. As of now only keystone must making the differentiation between admin and public/internal urls. All other components must be offering the same service using different endpoints. So there is no difference for other components. In case of keystone using URL with port 5000 may still work as nova service component may not making any administrative API call to keystone internally. Generally administrative APIs covers other API sets as well. Hope it gives good info for you.

dheeru gravatar imagedheeru ( 2013-12-21 07:12:38 -0500 )edit

Thanks, got it.

huwei-xtu gravatar imagehuwei-xtu ( 2013-12-21 07:24:26 -0500 )edit

If you have any specific questions, do let us know. Stackers will definitely come revert with you good answer. Enjoy the OpenStack

dheeru gravatar imagedheeru ( 2013-12-21 07:30:05 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-12-20 22:00:31 -0500

Seen: 6,487 times

Last updated: Mar 27 '14