From 33cb410e8b54763f536f337de9281e11c3fecf4c Mon Sep 17 00:00:00 2001 From: Ben Nemec Date: Thu, 25 Jun 2015 18:22:18 +0000 Subject: [PATCH] Don't try to connect to keystone admin via ssl We don't currently support running the keystone admin endpoint behind ssl (see _create_keystone_endpoint, which can only register public endpoints as ssl), so it doesn't make sense to try to connect to the admin endpoint via ssl. For v3, this should be fixed at some point in the future, but in the meantime let's get the code into a consistent state so it's usable with public ssl endpoints. According to the inline comments, the v2 endpoint is never available via ssl anyway so this is actually the correct behavior there anyway. Change-Id: Ie0973bf6d25c837cdef7b0f9aaf4d4b96c3fbff7 --- os_cloud_config/keystone.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/os_cloud_config/keystone.py b/os_cloud_config/keystone.py index 78be854..55bd483 100644 --- a/os_cloud_config/keystone.py +++ b/os_cloud_config/keystone.py @@ -137,7 +137,7 @@ def initialize(host, admin_token, admin_email, admin_password, :param pki_setup: Boolean for running pki_setup conditionally """ - keystone_v2 = _create_admin_client_v2(host, admin_token, ssl, public) + keystone_v2 = _create_admin_client_v2(host, admin_token, public) keystone_v3 = _create_admin_client_v3(host, admin_token, ssl, public) _create_roles(keystone_v2, timeout, poll_interval) @@ -162,7 +162,7 @@ def initialize_for_swift(host, admin_token, ssl=None, public=None): """ LOG.warn('This function is deprecated.') - keystone = _create_admin_client_v2(host, admin_token, ssl, public) + keystone = _create_admin_client_v2(host, admin_token, public) LOG.debug('Creating swiftoperator role.') keystone.roles.create('swiftoperator') @@ -392,7 +392,7 @@ def _create_user_for_service(keystone, name, password): keystone.roles.add_user_role(user, admin_role, admin_tenant) -def _create_admin_client_v2(host, admin_token, ssl=None, public=None): +def _create_admin_client_v2(host, admin_token, public=None): """Create Keystone v2 client for admin endpoint. :param host: ip/hostname of node where Keystone is running @@ -403,7 +403,7 @@ def _create_admin_client_v2(host, admin_token, ssl=None, public=None): """ # It may not be readily obvious that admin v2 is never available # via https. The SSL parameter is just the DNS name to use. - admin_url = 'http://%s:35357/v2.0' % (ssl or public or host) + admin_url = 'http://%s:35357/v2.0' % (public or host) return ksclient_v2.Client(endpoint=admin_url, token=admin_token) @@ -416,8 +416,10 @@ def _create_admin_client_v3(host, admin_token, ssl=None, public=None): :param public: ip/hostname to use as the public endpoint, if default is not suitable """ - admin_url = '%s://%s:35357/v3' % ('https' if ssl else 'http', ssl or - public or host) + # TODO(bnemec): This should respect the ssl parameter, but right now we + # don't support running the admin endpoint behind ssl. Once that is + # fixed, this should use ssl when available. + admin_url = '%s://%s:35357/v3' % ('http', public or host) return ksclient_v3.Client(endpoint=admin_url, token=admin_token)