I noticed most of the connection between components are used publicURL endpoint ? But in keystone service catalog it contains three type endpoint urls, which are publicURL, internalURL and adminURL. Could I configure the components to use internalURL to communicate with each other to isolate them ? And what is the destination to contains those three type URL in service catalog ?
By lookin at the keystone-paste.ini , we can see the difference between public api and admin api
[pipeline:public_api]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v2 json_body ec2_extension s3_extension crud_extension admin_service
major difference is admin api use the crud_extension and admin_service , the first one is for the user who has admin_role to bootstrap the keystone, the second one is for start the WSGI server listen on the admin port specified i the keystone.conf.
For the other projects who use the keystone as auth strategy, they are the keystone service consumers, so i think they should all use the public api not admin_api, ie. they will use the public url/internal url to interact with keystone.
Hope that helps!
Vic
There are different API endpoints exposed by each service. Each of these service expose different or subset of APIs. APIs available through ADMIN url may not be available through public APIs.
E.g following are different endpoints.
--publicurl=http://controller:5000/v2.0
--internalurl=http://controller:5000/v2.0
--adminurl=http://controller:35357/v2.0
Here publicurl and internalurl are same and adminurl is different. So APIs available in adminurl are not available in public/internal. In some case all public, internal and admin are same. It means to say that there is not different among them.
I'm not quite clear from you question on which component you trying this. Is it keystone or nova or some other component. Also what is the use case you are trying to solve? Is it for understanding these URLs or are you trying to solve some real world use case?
Got it. At least according to my understanding except keystone, URL endpoints for all the components are same. As of now only keystone must making the differentiation between admin and public/internal urls. All other components must be offering the same service using different endpoints. So there is no difference for other components. In case of keystone using URL with port 5000 may still work as nova service component may not making any administrative API call to keystone internally. Generally administrative APIs covers other API sets as well. Hope it gives good info for you.
Asked: 2013-12-20 22:00:31 -0600
Seen: 6,372 times
Last updated: Mar 27 '14
