diff --git a/files/apache-keystone.template b/files/apache-keystone.template index 428544f25c..8a4b0f0c43 100644 --- a/files/apache-keystone.template +++ b/files/apache-keystone.template @@ -44,8 +44,8 @@ Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public WSGIPassAuthorization On -Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin - +Alias /identity_v2_admin %KEYSTONE_BIN%/keystone-wsgi-admin + SetHandler wsgi-script Options +ExecCGI diff --git a/lib/keystone b/lib/keystone index 3309a916af..c94bcd3a71 100644 --- a/lib/keystone +++ b/lib/keystone @@ -122,8 +122,14 @@ if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then fi # complete URIs -KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} -KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} +if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then + # If running in Apache, use path access rather than port. + KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_v2_admin + KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity +else + KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} + KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} +fi # V3 URIs KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 @@ -259,7 +265,15 @@ function configure_keystone { # Set the service ports for a proxy to take the originals service_port=$KEYSTONE_SERVICE_PORT_INT auth_port=$KEYSTONE_AUTH_PORT_INT + fi + # Override the endpoints advertised by keystone (the public_endpoint and + # admin_endpoint) so that clients use the correct endpoint. By default, the + # keystone server uses the public_port and admin_port which isn't going to + # work when you want to use a different port (in the case of proxy), or you + # don't want the port (in the case of putting keystone on a path in + # apache). + if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI fi @@ -582,7 +596,14 @@ function start_keystone { # Check that the keystone service is running. Even if the tls tunnel # should be enabled, make sure the internal port is checked using # unencryted traffic at this point. - if ! wait_for_service $SERVICE_TIMEOUT $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/; then + # If running in Apache, use the path rather than port. + + local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ + if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then + service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ + fi + + if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then die $LINENO "keystone did not start" fi @@ -625,8 +646,8 @@ function bootstrap_keystone { --bootstrap-service-name keystone \ --bootstrap-region-id "$REGION_NAME" \ --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \ - --bootstrap-public-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" \ - --bootstrap-internal-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" + --bootstrap-public-url "$KEYSTONE_SERVICE_URI" \ + --bootstrap-internal-url "$KEYSTONE_SERVICE_URI" } # Restore xtrace