On 10/26/2017 08:10 AM, Andy Wojnarek wrote: > > Hi, > > > > Is it possible to have both v2.0 and v3 endpoints for Keystone? I’m > trying to integrate a backup software into Swift, and it requires > Keystone 2.0. I added the new endpoints fine, but I’m getting > authentication/authorization errors: > > > > *_My Endpoints_* > > gvicopnstk01:~ # openstack endpoint list | grep -i identity > > | 08b3ba7072ed44df9e7c90e99f8e71d9 | regionOne | keystone | > identity | True | internal | > http://gvicopnstk01:35357/v2.0 | > > | 55d52d6b6cb34d33979cd3c083416d44 | RegionOne | keystone | > identity | True | internal | > http://gvicopnstk01:5000/v3/ | > > | 6b5958647c1744a78657f2c8089ee97d | RegionOne | keystone | > identity | True | admin | > http://gvicopnstk01:35357/v3/ | > > | 70c939d2248f4845b1d0c9e8b7c7cf09 | regionOne | keystone | > identity | True | admin | > http://gvicopnstk01:35357/v2.0 | > > | 7e4d1c794ed1432ca28ea60b947fdc7a | RegionOne | keystone | > identity | True | public | > http://gvicopnstk01:5000/v3/ | > > | f46214dc916947d7a557a2e1b9dc65ca | regionOne | keystone | > identity | True | public | > http://gvicopnstk01:5000/v2.0 | > > > > > > *_Using v2.0 AUTH_URL_* > > gvicopnstk01:~ # export OS_AUTH_URL=http://gvicopnstk01:35357/v2.0 > > gvicopnstk01:~ # swift stat > > Authorization Failure. Authorization failed: > (http://gvicopnstk01:35357/v2.0/auth/tokens): The resource could not > be found. (HTTP 404) (Request-ID: > req-ff14bc2d-dbbd-41ed-b81e-73c9397ea1d0) > > gvicopnstk01:~ # openstack endpoint list > > Cannot use v2 authentication with domain scope > > >
This is resulting in a 404 Not Found because the authentication endpoint changed from v2.0 to v3. For v2.0 it is /v2.0/tokens/ and for v3 it's /v3/auth/tokens. Also, v2.0 doesn't have the concept of domains. Multiple domains only really exist in the v3 API. As a result, the v2.0 API is unable to understand or issue domain-scoped tokens. It can also only authenticate users who are in the default domain as defined in keystone's configuration file [0]. What happens if you set ST_AUTH_VERSION=3 [1]? [0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#identity.default_domain_id [1] https://github.com/openstack/python-swiftclient/blob/0982791db2ccb851f277ffa653065e4021e52b3f/doc/source/cli/index.rst#authentication > *_keystone-wsgi-public.log when application tries to hit 2.0 endpoint_* > > 2017-10-26 08:43:59.255 21561 WARNING oslo_log.versionutils > [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Deprecated: > authenticate of the v2 Authentication APIs is deprecated as of Mitaka > in favor of a similar function in the v3 Authentication APIs and may > be removed in T. > > 2017-10-26 08:43:59.714 21561 WARNING keystone.common.wsgi > [req-8eb530eb-b2da-466d-9e34-7508f70b7c73 - - - - -] Authorization > failed. The request you have made requires authentication. from > 192.168.241.121: Unauthorized: The request you have made requires > authentication. > > 2017-10-26 08:44:04.728 21558 INFO keystone.common.wsgi > [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] POST > http://192.168.241.114:5000/v2.0/tokens > > 2017-10-26 08:44:04.729 21558 WARNING oslo_log.versionutils > [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Deprecated: > authenticate of the v2 Authentication APIs is deprecated as of Mitaka > in favor of a similar function in the v3 Authentication APIs and may > be removed in T. > > 2017-10-26 08:44:05.185 21558 WARNING keystone.common.wsgi > [req-2f98c106-9e97-4a7a-94e9-515f8b388001 - - - - -] Authorization > failed. The request you have made requires authentication. from > 192.168.241.121: Unauthorized: The request you have made requires > authentication. > > 2017-10-26 08:52:34.534 21557 INFO keystone.common.wsgi > [req-fa71683e-d4a3-4656-8eea-421caa10f841 - - - - -] POST > http://192.168.241.114:5000/v2.0/tokens > > > > When the application tried with v3 it just bombed out, after I added > the v2.0 endpoints it connects but says invalid username/password and > it fails. > > > > Do I need to now instruct Swift to use the v2.0 endpoint inside > swift.conf? > > > > Thanks, > > Andrew Wojnarek | Sr. Systems Engineer | ATS Group, LLC > > mobile 717.856.6901 | andy.wojna...@theatsgroup.com > <mailto:andy.wojna...@theatsgroup.com> > > *Galileo Performance Explorer Blog* > <http://galileosuite.com/blog/>* Offers Deep Insights for > Server/Storage Systems* > > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
