[Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Mikhail Fedosin-2
Recently I decided to remove deprecated parameters from keystone_authtoken mistral config and replace them with recommended function of devstack [1]. In doing so, I discovered a strange behavior of configuration mechanism, and specifically parameters auth_uri and auth_url.

1. The parameter auth_url is not included in the list of the middleware parameters, there is auth_uri only [2]. Nevertheless, it must be present, because it's required by identity plugin [3]. Attempts to remove or replace it with the recommended auth_uri result with these stacktraces [4]

2. Even if auth_url is set, it can't be used later, because it is not registered in oslo_config [5]

So I would like to get an advise from keystone team and understand what I should do in such cases. Official documentation doesn't add clarity on the matter because it recommends to use auth_uri in some cases and auth_url in others.
My suggestion is to add auth_url in the list of keystone authtoken middleware config options, so that the parameter can be used by the others. 

Best,
Mike


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Gyorgy Szombathelyi
Hi Mikhail,

(I'm not from the Keystone team, but did some patches for using keystonauth1).

>
> 2. Even if auth_url is set, it can't be used later, because it is not registered in
> oslo_config [5]

auth_url is actually a dynamic parameter and depends on the keystone auth plugin used
(auth_type=xxx). The plugin which needs this parameter, registers it.

>
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.

Yepp, this makes some confusion, but adding auth_url will make a clash with
most (all?) authentication plugins. auth_url can be considered as an 'internal'
option for the keystoneauth1 modules, and not used by anything else (like
the keystonemiddleware itself). However if there would be a more elagant
solution, I would also hear about it.

>
> Best,
> Mike
>
Br,
György
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Mikhail Fedosin-2
Thanks György!

On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <[hidden email]> wrote:
Hi Mikhail,

(I'm not from the Keystone team, but did some patches for using keystonauth1).

>
> 2. Even if auth_url is set, it can't be used later, because it is not registered in
> oslo_config [5]

auth_url is actually a dynamic parameter and depends on the keystone auth plugin used
(auth_type=xxx). The plugin which needs this parameter, registers it.

Based on this http://paste.openstack.org/show/612664/ I would say that the plugin doesn't register it :(
It either can be a bug, or it was done intentionally, I don't know.
 

>
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.

Yepp, this makes some confusion, but adding auth_url will make a clash with
most (all?) authentication plugins. auth_url can be considered as an 'internal'
option for the keystoneauth1 modules, and not used by anything else (like
the keystonemiddleware itself). However if there would be a more elagant
solution, I would also hear about it.

>
> Best,
> Mike
>
Br,
György
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

My final thought that we have to use both (auth_url and auth_uri) options in mistral config, which looks ugly, but necessary.

Best,
Mike


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Gyorgy Szombathelyi
>
> auth_url is actually a dynamic parameter and depends on the
> keystone auth plugin used
> (auth_type=xxx). The plugin which needs this parameter, registers it.
>
>
>
> Based on this http://paste.openstack.org/show/612664/ I would say that the
> plugin doesn't register it :( It either can be a bug, or it was done intentionally,
> I don't know.
>
It should register it after you load it, via keystonauth1.loading.load_auth_plugin_from_conf_options()
There are also register_auth_conf_options() and get_auth_plugin_conf_options,  which I think are mainly used
for listing the most used plugins' options in the debug log. But I don't think it would be wise
just to choose a plugin and register its options for auth_url, because it is ugly, I think, and can lead to
other problems.
 
>
> My final thought that we have to use both (auth_url and auth_uri) options in
> mistral config, which looks ugly, but necessary.

It's not just Mistral, but every component which uses keystonemiddleware.

>
> Best,
> Mike
Br,
György
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Gyorgy Szombathelyi
>
> >
> > auth_url is actually a dynamic parameter and depends on the
> keystone
> > auth plugin used
> > (auth_type=xxx). The plugin which needs this parameter, registers it.
> >
> >
> >
> > Based on this http://paste.openstack.org/show/612664/ I would say that
> > the plugin doesn't register it :( It either can be a bug, or it was
> > done intentionally, I don't know.
> >
> It should register it after you load it, via
> keystonauth1.loading.load_auth_plugin_from_conf_options()
> There are also register_auth_conf_options() and
> get_auth_plugin_conf_options,  which I think are mainly used for listing the
> most used plugins' options in the debug log. But I don't think it would be wise
> just to choose a plugin and register its options for auth_url, because it is ugly,
> I think, and can lead to other problems.

Another note: if you write this code, I think you should not use auth_url directly
creating the keystone client (did not look at the code in question, just thinking loud looking at the stacktrace).
Use keystoneauth1's loading.load_auth_plugin_from_conf_options()
and loading.load_session_from_conf_options(). You don't have to register anything if you're
using the [keystone_authtoken] section. Lots of components introduce another config sections
for credentials, like [nova], [neutron], in this case one has to use register_auth_conf_options()
and register_session_conf_options().


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Brant Knudson
In reply to this post by Mikhail Fedosin-2


On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin <[hidden email]> wrote:
Recently I decided to remove deprecated parameters from keystone_authtoken mistral config and replace them with recommended function of devstack [1]. In doing so, I discovered a strange behavior of configuration mechanism, and specifically parameters auth_uri and auth_url.

1. The parameter auth_url is not included in the list of the middleware parameters, there is auth_uri only [2]. Nevertheless, it must be present, because it's required by identity plugin [3]. Attempts to remove or replace it with the recommended auth_uri result with these stacktraces [4]

2. Even if auth_url is set, it can't be used later, because it is not registered in oslo_config [5]

So I would like to get an advise from keystone team and understand what I should do in such cases. Official documentation doesn't add clarity on the matter because it recommends to use auth_uri in some cases and auth_url in others.

While to a human auth_uri and auth_url might look very similar they're treated completely differently by auth_token / keystoneauth. One doesn't replace the other in any way. So it shouldn't be surprising that documentation would say to use auth_uri for one thing and auth_url for something else.

 - Brant

 

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Harry Rybacki
On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson <[hidden email]> wrote:

>
>
> On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin <[hidden email]> wrote:
>>
>> Recently I decided to remove deprecated parameters from keystone_authtoken
>> mistral config and replace them with recommended function of devstack [1].
>> In doing so, I discovered a strange behavior of configuration mechanism, and
>> specifically parameters auth_uri and auth_url.
>>
>> 1. The parameter auth_url is not included in the list of the middleware
>> parameters, there is auth_uri only [2]. Nevertheless, it must be present,
>> because it's required by identity plugin [3]. Attempts to remove or replace
>> it with the recommended auth_uri result with these stacktraces [4]
>>
>> 2. Even if auth_url is set, it can't be used later, because it is not
>> registered in oslo_config [5]
>>
>> So I would like to get an advise from keystone team and understand what I
>> should do in such cases. Official documentation doesn't add clarity on the
>> matter because it recommends to use auth_uri in some cases and auth_url in
>> others.
>
>
> While to a human auth_uri and auth_url might look very similar they're
> treated completely differently by auth_token / keystoneauth. One doesn't
> replace the other in any way. So it shouldn't be surprising that
> documentation would say to use auth_uri for one thing and auth_url for
> something else.
>
In this case it's probably worth filing a docs bug against Keystone.
If one person is confused by this, others likely are or will be.

- Harry

>  - Brant
>
>
>>
>> My suggestion is to add auth_url in the list of keystone authtoken
>> middleware config options, so that the parameter can be used by the others.
>>
>> Best,
>> Mike
>>
>> [1] https://review.openstack.org/#/c/473796/
>> [2]
>> https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31
>> [3]
>> https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37
>> [4] http://paste.openstack.org/show/612662/
>> [5] http://paste.openstack.org/show/612664/
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: [hidden email]?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: [hidden email]?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Brant Knudson


On Thu, Jun 15, 2017 at 1:12 PM, Harry Rybacki <[hidden email]> wrote:
On Thu, Jun 15, 2017 at 1:57 PM, Brant Knudson <[hidden email]> wrote:
>
>
> On Thu, Jun 15, 2017 at 5:14 AM, Mikhail Fedosin <[hidden email]> wrote:
>>
>> Recently I decided to remove deprecated parameters from keystone_authtoken
>> mistral config and replace them with recommended function of devstack [1].
>> In doing so, I discovered a strange behavior of configuration mechanism, and
>> specifically parameters auth_uri and auth_url.
>>
>> 1. The parameter auth_url is not included in the list of the middleware
>> parameters, there is auth_uri only [2]. Nevertheless, it must be present,
>> because it's required by identity plugin [3]. Attempts to remove or replace
>> it with the recommended auth_uri result with these stacktraces [4]
>>
>> 2. Even if auth_url is set, it can't be used later, because it is not
>> registered in oslo_config [5]
>>
>> So I would like to get an advise from keystone team and understand what I
>> should do in such cases. Official documentation doesn't add clarity on the
>> matter because it recommends to use auth_uri in some cases and auth_url in
>> others.
>
>
> While to a human auth_uri and auth_url might look very similar they're
> treated completely differently by auth_token / keystoneauth. One doesn't
> replace the other in any way. So it shouldn't be surprising that
> documentation would say to use auth_uri for one thing and auth_url for
> something else.
>
In this case it's probably worth filing a docs bug against Keystone.
If one person is confused by this, others likely are or will be.

- Harry


I created a bug against keystonemiddleware: https://bugs.launchpad.net/keystonemiddleware/+bug/1698401 . HTH.

- Brant
 
>  - Brant
>
>
>>
>> My suggestion is to add auth_url in the list of keystone authtoken
>> middleware config options, so that the parameter can be used by the others.
>>
>> Best,
>> Mike
>>
>> [1] https://review.openstack.org/#/c/473796/
>> [2]
>> https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py#L31
>> [3]
>> https://github.com/openstack/keystoneauth/blob/master/keystoneauth1/loading/identity.py#L37
>> [4] http://paste.openstack.org/show/612662/
>> [5] http://paste.openstack.org/show/612664/
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



--
- Brant

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Jamie Lennox-3
In reply to this post by Mikhail Fedosin-2


On 16 June 2017 at 00:44, Mikhail Fedosin <[hidden email]> wrote:
Thanks György!

On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <[hidden email]> wrote:
Hi Mikhail,

(I'm not from the Keystone team, but did some patches for using keystonauth1).

>
> 2. Even if auth_url is set, it can't be used later, because it is not registered in
> oslo_config [5]

auth_url is actually a dynamic parameter and depends on the keystone auth plugin used
(auth_type=xxx). The plugin which needs this parameter, registers it.

Based on this http://paste.openstack.org/show/612664/ I would say that the plugin doesn't register it :(
It either can be a bug, or it was done intentionally, I don't know.
 

>
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.

Yepp, this makes some confusion, but adding auth_url will make a clash with
most (all?) authentication plugins. auth_url can be considered as an 'internal'
option for the keystoneauth1 modules, and not used by anything else (like
the keystonemiddleware itself). However if there would be a more elagant
solution, I would also hear about it.

>
> Best,
> Mike
>
Br,
György
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@...enstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

My final thought that we have to use both (auth_url and auth_uri) options in mistral config, which looks ugly, but necessary.

Best,
Mike


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Hi,

I feel like the question has been answered in the thread, but as i'm largely responsible for this I thought i'd pipe up here.

It's annoying and unfortunate that auth_uri and auth_url look so similar. They've actually existed for some time side by side and ended up like that out of evolution rather that any thought. Interestingly the first result for auth_uri in google is [1]. I'd be happy to rename it for something else if we can agree on what.

Regarding your paste (and the reason i popped up), i would consider this a bug in mistral. The auth options aren't registered into oslo.config until just before the plugin is loaded because depending on what you put in for auth_type the options may be different. In practice pretty much every plugin has an auth_url, but mistral shouldn't be assuming anything about the structure of [keystone_authtoken]. That's the sole responsibility of keystonemiddleware and it does change over time.

Jamie



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Keystone][Mistral][Devstack] Confusion between auth_url and auth_uri in keystone middleware

Mikhail Fedosin-2
Thanks for your help folks!

I proposed a patch for mistral and it seems it works now https://review.openstack.org/#/c/473796
I'm not a great expert on this issue, so it will be great if someone from keystone team could review the patch.

Best,
Mike

On Wed, Jun 21, 2017 at 4:15 AM, Jamie Lennox <[hidden email]> wrote:


On 16 June 2017 at 00:44, Mikhail Fedosin <[hidden email]> wrote:
Thanks György!

On Thu, Jun 15, 2017 at 1:55 PM, Gyorgy Szombathelyi <[hidden email]> wrote:
Hi Mikhail,

(I'm not from the Keystone team, but did some patches for using keystonauth1).

>
> 2. Even if auth_url is set, it can't be used later, because it is not registered in
> oslo_config [5]

auth_url is actually a dynamic parameter and depends on the keystone auth plugin used
(auth_type=xxx). The plugin which needs this parameter, registers it.

Based on this http://paste.openstack.org/show/612664/ I would say that the plugin doesn't register it :(
It either can be a bug, or it was done intentionally, I don't know.
 

>
> So I would like to get an advise from keystone team and understand what I
> should do in such cases. Official documentation doesn't add clarity on the
> matter because it recommends to use auth_uri in some cases and auth_url in
> others.
> My suggestion is to add auth_url in the list of keystone authtoken
> middleware config options, so that the parameter can be used by the others.

Yepp, this makes some confusion, but adding auth_url will make a clash with
most (all?) authentication plugins. auth_url can be considered as an 'internal'
option for the keystoneauth1 modules, and not used by anything else (like
the keystonemiddleware itself). However if there would be a more elagant
solution, I would also hear about it.

>
> Best,
> Mike
>
Br,
György
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@...enstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

My final thought that we have to use both (auth_url and auth_uri) options in mistral config, which looks ugly, but necessary.

Best,
Mike


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@...enstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Hi,

I feel like the question has been answered in the thread, but as i'm largely responsible for this I thought i'd pipe up here.

It's annoying and unfortunate that auth_uri and auth_url look so similar. They've actually existed for some time side by side and ended up like that out of evolution rather that any thought. Interestingly the first result for auth_uri in google is [1]. I'd be happy to rename it for something else if we can agree on what.

Regarding your paste (and the reason i popped up), i would consider this a bug in mistral. The auth options aren't registered into oslo.config until just before the plugin is loaded because depending on what you put in for auth_type the options may be different. In practice pretty much every plugin has an auth_url, but mistral shouldn't be assuming anything about the structure of [keystone_authtoken]. That's the sole responsibility of keystonemiddleware and it does change over time.

Jamie



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [hidden email]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Loading...