Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 07973200BF3 for ; Thu, 5 Jan 2017 20:30:26 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 05FED160B33; Thu, 5 Jan 2017 19:30:26 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CD4FC160B26 for ; Thu, 5 Jan 2017 20:30:24 +0100 (CET) Received: (qmail 36979 invoked by uid 500); 5 Jan 2017 19:30:23 -0000 Mailing-List: contact user-help@jclouds.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@jclouds.apache.org Delivered-To: mailing list user@jclouds.apache.org Received: (qmail 36969 invoked by uid 99); 5 Jan 2017 19:30:23 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jan 2017 19:30:23 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 739DC1A7AD9 for ; Thu, 5 Jan 2017 19:30:23 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.231 X-Spam-Level: ** X-Spam-Status: No, score=2.231 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=enterprisedb-com.20150623.gappssmtp.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id 9V3v7fbldrmJ for ; Thu, 5 Jan 2017 19:30:20 +0000 (UTC) Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com [74.125.83.42]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id DD9A65F286 for ; Thu, 5 Jan 2017 19:30:19 +0000 (UTC) Received: by mail-pg0-f42.google.com with SMTP id i5so178663960pgh.2 for ; Thu, 05 Jan 2017 11:30:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version; bh=Iwz8M029Lie8VFuN+nqW3KKaeu2FeU5EWSr9KshhT/0=; b=fMtXHpK45ybw/6mY6n76l40PpUYVF1gMxepS+Hpd5zgU4g8rnCtozZkCxuzaR2iCVT ZqtRNMERe29M+jv8OMeu4a9XzavfSeEr/ThhT6NUHmfDN5GdI7n1lb8OmwXqfehLOXie Rbi4ZtgVTG/Q6+0ioBlnFcC1wMLDxgqSp70dkcCslId2S9KyLbTu5JH9ASY2LAmpvN/y pX0BmQx0e7aWaxIRBA0FEel+qrk+TD/oY3BRQ6N5FnGZWzvQrtfPnXDjZBbJLcxR0pQB deUOXxTZF0OHztdrjrjgAvUrPzg3iQ7AItcKvfJbmnBdYoXAUmJfVxWHkkllJlALilhf HaFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=Iwz8M029Lie8VFuN+nqW3KKaeu2FeU5EWSr9KshhT/0=; b=ryojEgdq5h07EhXcekU8BCsad7ek9mPM6SDyfDe9rSz9zNjjfLAFOPNF1xPzF0dajY qjjGDGdK/8fc+/Q9f/ywqgn08WgJgQ5E6IjChuUT2WGAt1uxpCXuoalBlo/TD+y43YVE ikTLAoYeZ5exR+IJud7wFuRh75J+T2BTb1PIScjoBESrgn5ZJm/hoAnaLOeAGsnyVnnX C1aK7uwfxZdgczcjbSPEw9PJUSb+D4a4UoU9wg0fIP4mqh6yV/ayIU0PTbP/ttlSiXrC Rwza3uoNXz6/otmqqOhxmlBqJ/VOuUoQnWBNL8v5AgWDJxOmfQqXI85dBIzxfJjz4kZS eDQw== X-Gm-Message-State: AIkVDXK4ba2tTJd0+3VX+grwHyAQqRPmcyYKQiaeMVNLoCt+/d9SplUyoUxvwBsOf6dg4P85 X-Received: by 10.99.226.83 with SMTP id y19mr135382535pgj.147.1483644618918; Thu, 05 Jan 2017 11:30:18 -0800 (PST) Received: from [192.168.1.10] (pool-173-48-222-20.bstnma.fios.verizon.net. [173.48.222.20]) by smtp.gmail.com with ESMTPSA id o126sm156634972pga.34.2017.01.05.11.30.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Jan 2017 11:30:18 -0800 (PST) To: "user@jclouds.apache.org" From: Ryan Shoemaker Subject: OpenStack identity endpoint and serviceCatalog usage Message-ID: Date: Thu, 5 Jan 2017 14:33:32 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------68D910B48DB20E1723BC0AC8" archived-at: Thu, 05 Jan 2017 19:30:26 -0000 This is a multi-part message in MIME format. --------------68D910B48DB20E1723BC0AC8 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hi, I'm hoping to get a better understanding of how jclouds discovers and decides which identity endpoint to use. Feel free to redirect me to docs if this is already written up somewhere. In my case, we have a community Mitaka installation running and an app that uses jclouds v2.0.0. Initially, nothing identity related was working because Mitaka wasn't configured to respond to V2.0 Identity API requests - only V3, which isn't supported by jclouds yet. I didn't setup/configure this installation of OpenStack, so I'm not sure if that's a common issue or not - I don't know if the V2.0 Identity API is normally turned off in a fresh install or what. It's entirely possible that there's something misconfigured in there causing the behavior I describe below. Anyway, once the V2.0 Identity endpoint was enabled, I turned on tracing and can see that even though I create my context builder explicitly using the V2.0 endpoint URL, jclouds switches over and uses whatever comes back in the 'serviceCatalog' param in the token response. In my case, that happens to point to the V3 Identity endpoint. At that point, jclouds fails to work because it is making V2.0 requests on the V3 endpoints. Here's some tracing showing that in more detail: FINE: >> "{"auth":{"passwordCredentials":{"username":"someuser","password":"somepass"},"tenantName":"sometenant"}}" FINE: >> POST http://mitaka-host.com:5000/v2.0/tokens HTTP/1.1 FINE: >> Accept: application/json FINE: >> Content-Type: application/json FINE: >> Content-Length: 108 FINE: << HTTP/1.1 200 OK FINE: << Vary: X-Auth-Token FINE: << Date: Wed, 04 Jan 2017 20:45:54 GMT FINE: << Keep-Alive: timeout=5, max=97 FINE: << Connection: Keep-Alive FINE: << x-openstack-request-id: req-390cebba-7cec-472c-88f4-8be6f6a0c236 FINE: << Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 FINE: << Content-Type: application/json FINE: << Content-Length: 3620 FINE: << "{"access":{ "token":{ "issued_at":"2017-01-04T20:45:54.000000Z", "expires":"2017-01-04T21:45:54Z", "id":"gAAAAABYbV8C5pTf30IRs7ybxmbflLk539RDldDU6Q7DBHTTXTY79pabgotPSfy41Nt2nZ82isP0RxsfRuxWRlb1fnlWy1E8zlQdM3xZbrkjP27gSlmLcsV298v-CH8R4GY7wnIvfJjO0MO4DMAgFvvMIA12ByG4kqIJHZ92VV_F6Vby33gR574", "tenant":{ "description":"somedescription", "enabled":true, "id":"6408ffc2d9034498bc764c230a90e591", "name":"sometenant" }, "audit_ids":[ "sEaG03ZdRXSeRMOr9GVCDA" ] }, "serviceCatalog":[ { "endpoints":[ { "adminURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591", "region":"uk", "internalURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591", "id":"9d531ab7259e44738c953ec8766b0bc4", "publicURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591" } ], "endpoints_links":[ ], "type":"compute", "name":"nova" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:9696", "region":"uk", "internalURL":"http://mitaka-host.com:9696", "id":"1312e551abfe4c6d886e1a471f92bddd", "publicURL":"http://mitaka-host.com:9696" } ], "endpoints_links":[ ], "type":"network", "name":"neutron" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591", "region":"uk", "internalURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591", "id":"02fb1ff3b41a40ceb4cb28abfa5bd547", "publicURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591" } ], "endpoints_links":[ ], "type":"volumev2", "name":"cinderv2" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:9292", "region":"uk", "internalURL":"http://mitaka-host.com:9292", "id":"3681888e8b62421f81e93d4270201520", "publicURL":"http://mitaka-host.com:9292" } ], "endpoints_links":[ ], "type":"image", "name":"glance" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591", "region":"uk", "internalURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591", "id":"252797f5a4bb44c0844bff5586a23e16", "publicURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591" } ], "endpoints_links":[ ], "type":"volume", "name":"cinder" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:8080/v1", "region":"uk", "internalURL":"http://mitaka-host.com:8080/v1/AUTH_6408ffc2d9034498bc764c230a90e591", "id":"32f4fa49d90e4ad58b2b694bc1aab1ed", "publicURL":"http://mitaka-host.com:8080/v1/AUTH_6408ffc2d9034498bc764c230a90e591" } ], "endpoints_links":[ ], "type":"object-store", "name":"swift" }, { "endpoints":[ { "adminURL":"http://mitaka-host.com:35357/v3", "region":"uk", "internalURL":"http://mitaka-host.com:5000/v3", "id":"23ace8e63eab431d81ccf5bfabc1ad53", "publicURL":"http://mitaka-host.com:5000/v3" } ], "endpoints_links":[ ], "type":"identity", "name":"keystone" } ], "user":{ "username":"someuser", "roles_links":[ ], "id":"a0da46b26af74a44a7c89cab6d9a6439", "roles":[ { "name":"admin" } ], "name":"someuser" }, "metadata":{ "is_admin":0, "roles":[ "dca7c9a77e294f97a619e2b7da246550" ] } } }" FINE: >> GET http://mitaka-host.com:35357/v3/tenants?name=sometenant HTTP/1.1 FINE: >> Accept: application/json FINE: >> X-Auth-Token: gAAAAABYbV8C5pTf30IRs7ybxmbflLk539RDldDU6Q7DBHTTXTY79pabgotPSfy41Nt2nZ82isP0RxsfRuxWRlb1fnlWy1E8zlQdM3xZbrkjP27gSlmLcsV298v-CH8R4GY7wnIvfJjO0MO4DMAgFvvMIA12ByG4kqIJHZ92VV_F6Vby33gR574 FINE: << HTTP/1.1 404 Not Found FINE: << Vary: X-Auth-Token FINE: << Date: Wed, 04 Jan 2017 20:45:55 GMT FINE: << Keep-Alive: timeout=5, max=100 FINE: << Connection: Keep-Alive FINE: << x-openstack-request-id: req-94bea180-8447-485a-8485-bf3f57e8d225 FINE: << Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5 FINE: << Content-Type: application/json FINE: << Content-Length: 93 FINE: << "{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}" Again, even though I created the jclouds ContextBuilder with the V2.0 endpoint, it looks like jclouds read the identity admin endpoint from the 'serviceCatalog' in the response and then switched to using it, even though it is a V3 endpoint. Is this normal expected behavior for jclouds? I'm guessing it has more to do with how Mitaka is configured, but I don't see how jclouds would be able to talk to newer versions of OpenStack unless they disable the V3 Identity endpoint or configure it in such a way that the V2.0 endpoint is exposed for jclouds to see it. Are there any READMEs on how to use jclouds keystone APIs with newer versions of OpenStack? In general, it seems like OpenStack is moving more towards a model where API versioning is supposed to be discovered by clients. For example: https://review.openstack.org/#/c/130669/, specifically the patch comment that says "if some one is using third party client, it will break. Only keystone client handles version discovery. Keystone doesn't even document how to handle version discovery, so any third party clients such as jcloud will likely fail" Is there any update on jclouds adding support for the V3 Identity API? Thanks, --Ryan --------------68D910B48DB20E1723BC0AC8 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Hi,

I'm hoping to get a better understanding of how jclouds discovers and decides which identity endpoint to use.  Feel free to redirect me to docs if this is already written up somewhere.

In my case, we have a community Mitaka installation running and an app that uses jclouds v2.0.0.  Initially, nothing identity related was working because Mitaka wasn't configured to respond to V2.0 Identity API requests - only V3, which isn't supported by jclouds yet.  I didn't setup/configure this installation of OpenStack, so I'm not sure if that's a common issue or not - I don't know if the V2.0 Identity API is normally turned off in a fresh install or what.  It's entirely possible that there's something misconfigured in there causing the behavior I describe below.  Anyway, once the V2.0 Identity endpoint was enabled, I turned on tracing and can see that even though I create my context builder explicitly using the V2.0 endpoint URL, jclouds switches over and uses whatever comes back in the 'serviceCatalog' param in the token response.  In my case, that happens to point to the V3 Identity endpoint.  At that point, jclouds fails to work because it is making V2.0 requests on the V3 endpoints.  Here's some tracing showing that in more detail:
 
FINE: >> "{"auth":{"passwordCredentials":{"username":"someuser","password":"somepass"},"tenantName":"sometenant"}}"
FINE: >> POST http://mitaka-host.com:5000/v2.0/tokens HTTP/1.1
FINE: >> Accept: application/json
FINE: >> Content-Type: application/json
FINE: >> Content-Length: 108

FINE: << HTTP/1.1 200 OK
FINE: << Vary: X-Auth-Token
FINE: << Date: Wed, 04 Jan 2017 20:45:54 GMT
FINE: << Keep-Alive: timeout=5, max=97
FINE: << Connection: Keep-Alive
FINE: << x-openstack-request-id: req-390cebba-7cec-472c-88f4-8be6f6a0c236
FINE: << Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
FINE: << Content-Type: application/json
FINE: << Content-Length: 3620
FINE: << 
"{"access":{
   "token":{
      "issued_at":"2017-01-04T20:45:54.000000Z",
      "expires":"2017-01-04T21:45:54Z",
      "id":"gAAAAABYbV8C5pTf30IRs7ybxmbflLk539RDldDU6Q7DBHTTXTY79pabgotPSfy41Nt2nZ82isP0RxsfRuxWRlb1fnlWy1E8zlQdM3xZbrkjP27gSlmLcsV298v-CH8R4GY7wnIvfJjO0MO4DMAgFvvMIA12ByG4kqIJHZ92VV_F6Vby33gR574",
      "tenant":{
         "description":"somedescription",
         "enabled":true,
         "id":"6408ffc2d9034498bc764c230a90e591",
         "name":"sometenant"
      },
      "audit_ids":[
         "sEaG03ZdRXSeRMOr9GVCDA"
      ]
   },
   "serviceCatalog":[
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591",
               "id":"9d531ab7259e44738c953ec8766b0bc4",
               "publicURL":"http://mitaka-host.com:8774/v2.1/6408ffc2d9034498bc764c230a90e591"
            }
         ],
         "endpoints_links":[

         ],
         "type":"compute",
         "name":"nova"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:9696",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:9696",
               "id":"1312e551abfe4c6d886e1a471f92bddd",
               "publicURL":"http://mitaka-host.com:9696"
            }
         ],
         "endpoints_links":[

         ],
         "type":"network",
         "name":"neutron"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591",
               "id":"02fb1ff3b41a40ceb4cb28abfa5bd547",
               "publicURL":"http://mitaka-host.com:8776/v2/6408ffc2d9034498bc764c230a90e591"
            }
         ],
         "endpoints_links":[

         ],
         "type":"volumev2",
         "name":"cinderv2"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:9292",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:9292",
               "id":"3681888e8b62421f81e93d4270201520",
               "publicURL":"http://mitaka-host.com:9292"
            }
         ],
         "endpoints_links":[

         ],
         "type":"image",
         "name":"glance"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591",
               "id":"252797f5a4bb44c0844bff5586a23e16",
               "publicURL":"http://mitaka-host.com:8776/v1/6408ffc2d9034498bc764c230a90e591"
            }
         ],
         "endpoints_links":[

         ],
         "type":"volume",
         "name":"cinder"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:8080/v1",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:8080/v1/AUTH_6408ffc2d9034498bc764c230a90e591",
               "id":"32f4fa49d90e4ad58b2b694bc1aab1ed",
               "publicURL":"http://mitaka-host.com:8080/v1/AUTH_6408ffc2d9034498bc764c230a90e591"
            }
         ],
         "endpoints_links":[

         ],
         "type":"object-store",
         "name":"swift"
      },
      {
         "endpoints":[
            {
               "adminURL":"http://mitaka-host.com:35357/v3",
               "region":"uk",
               "internalURL":"http://mitaka-host.com:5000/v3",
               "id":"23ace8e63eab431d81ccf5bfabc1ad53",
               "publicURL":"http://mitaka-host.com:5000/v3"
            }
         ],
         "endpoints_links":[

         ],
         "type":"identity",
         "name":"keystone"
      }
   ],
   "user":{
      "username":"someuser",
      "roles_links":[

      ],
      "id":"a0da46b26af74a44a7c89cab6d9a6439",
      "roles":[
         {
            "name":"admin"
         }
      ],
      "name":"someuser"
   },
   "metadata":{
      "is_admin":0,
      "roles":[
         "dca7c9a77e294f97a619e2b7da246550"
      ]
   }
}
}"


FINE: >> GET http://mitaka-host.com:35357/v3/tenants?name=sometenant HTTP/1.1
FINE: >> Accept: application/json
FINE: >> X-Auth-Token: gAAAAABYbV8C5pTf30IRs7ybxmbflLk539RDldDU6Q7DBHTTXTY79pabgotPSfy41Nt2nZ82isP0RxsfRuxWRlb1fnlWy1E8zlQdM3xZbrkjP27gSlmLcsV298v-CH8R4GY7wnIvfJjO0MO4DMAgFvvMIA12ByG4kqIJHZ92VV_F6Vby33gR574

FINE: << HTTP/1.1 404 Not Found
FINE: << Vary: X-Auth-Token
FINE: << Date: Wed, 04 Jan 2017 20:45:55 GMT
FINE: << Keep-Alive: timeout=5, max=100
FINE: << Connection: Keep-Alive
FINE: << x-openstack-request-id: req-94bea180-8447-485a-8485-bf3f57e8d225
FINE: << Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
FINE: << Content-Type: application/json
FINE: << Content-Length: 93
FINE: << "{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}"

Again, even though I created the jclouds ContextBuilder with the V2.0 endpoint, it looks like jclouds read the identity admin endpoint from the 'serviceCatalog' in the response and then switched to using it, even though it is a V3 endpoint.  Is this normal expected behavior for jclouds?  I'm guessing it has more to do with how Mitaka is configured, but I don't see how jclouds would be able to talk to newer versions of OpenStack unless they disable the V3 Identity endpoint or configure it in such a way that the V2.0 endpoint is exposed for jclouds to see it.  Are there any READMEs on how to use jclouds keystone APIs with newer versions of OpenStack?

In general, it seems like OpenStack is moving more towards a model where API versioning is supposed to be discovered by clients.  For example: https://review.openstack.org/#/c/130669/, specifically the patch comment that says "if some one is using third party client, it will break. Only keystone client handles version discovery.    Keystone doesn't even document how to handle version discovery, so any third party clients such as jcloud will likely fail"

Is there any update on jclouds adding support for the V3 Identity API?

Thanks,

--Ryan
--------------68D910B48DB20E1723BC0AC8--