Do not assume keystone admin endpoint

keystone does not distinguish public and admin endpoints since Train [1], so there is no need to use a separate endpoint for keystone admin operations. admin endpoint still can be configured but there is no functional difference anymore from other endpoints. We do not need to require admin endpoint and can use an endpoint specified by OPENSTACK_ENDPOINT_TYPE for all API operations. This commit reverts commit f9bab3fe19 as we no longer need the workaround. [1] https://review.opendev.org/c/openstack/keystone/+/664246 Closes-Bug: #1950659 Change-Id: I2660fd2df8081e1d2d9c84626037f94bd9d137a5
2022-03-25 14:08:17 +09:00 · 2022-03-25 14:08:17 +09:00 · 35a490f4ec
commit 35a490f4ec
parent 0798bdacd3
3 changed files with 15 additions and 11 deletions
--- a/.zuul.d/tempest-and-integrated.yaml
+++ b/.zuul.d/tempest-and-integrated.yaml
@ -24,11 +24,6 @@
      - ^openstack_dashboard/.*/[^/]*\.spec\.js$
      - ^horizon/static/.*/[^/]*\.spec\.js$
    vars:
-      devstack_localrc:
-        # NOTE: workaround for bug 1950659
-        # Some horizon integration test start failing after devstack
-        # stop creating default keystone admin endpoint.
-        KEYSTONE_ADMIN_ENDPOINT: true
      devstack_services:
        horizon: true
      tox_envlist: integration
--- a/openstack_dashboard/api/keystone.py
+++ b/openstack_dashboard/api/keystone.py
@ -157,12 +157,9 @@ def keystoneclient(request, admin=False):
            if domain_token:
                token_id = getattr(domain_token, 'auth_token', None)

-    if admin:
-        if not policy.check((("identity", "admin_required"),), request):
-            raise exceptions.NotAuthorized
-        endpoint_type = 'adminURL'
-    else:
-        endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE
+    if admin and not policy.check((("identity", "admin_required"),), request):
+        raise exceptions.NotAuthorized
+    endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE

    # Take care of client connection caching/fetching a new client.
    # Admin vs. non-admin clients are cached separately for token matching.
--- a/releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml
+++ b/releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml
@ -0,0 +1,12 @@
+---
+upgrade:
+  - |
+    Horizon no longer requires the keystone admin endpoint. keystone does
+    not distinguish public and admin endpoints and there is no functional
+    difference between public and admin endpoints. There is no need for
+    a separate endpoint for keystone admin operations, but horizon required
+    the keystone admin endpoint is configured previously. This requirement
+    no longer exists. An endpoint specified by ``OPENSTACK_ENDPOINT_TYPE``
+    setting is used for the keystone admin operations. You can drop
+    the admin endpoint for keystone (unless other services require it).
+    [:bug:`1950659`]