OpenStack Services Should Use keystone_internal_url for auth
Horizon and Neutron mistakenly were using keystone_public_url for authentication. This works without error in deployments when the internal services happen to have access to the public network, but it is still wrong. This fails to work when the internal services can not access the public URLs, for example when TLS is enabled on the public endppoints. This patches corrects horizon and neutron to use keystone_internal_url for auth. Change-Id: I59b9094364bef375036028ba86a771dabf28c963 Closes-bug: #1625648
This commit is contained in:
parent
57203424c2
commit
cc2dde0854
@ -192,7 +192,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
|
|||||||
|
|
||||||
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
|
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
|
||||||
|
|
||||||
OPENSTACK_KEYSTONE_URL = "{{ keystone_public_url }}"
|
OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
|
||||||
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"
|
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"
|
||||||
|
|
||||||
# Enables keystone web single-sign-on if set to True.
|
# Enables keystone web single-sign-on if set to True.
|
||||||
|
@ -72,7 +72,7 @@ connection = mysql+pymysql://{{ neutron_database_user }}:{{ neutron_database_pas
|
|||||||
max_retries = -1
|
max_retries = -1
|
||||||
|
|
||||||
[keystone_authtoken]
|
[keystone_authtoken]
|
||||||
auth_uri = {{ keystone_public_url }}
|
auth_uri = {{ keystone_internal_url }}
|
||||||
auth_url = {{ keystone_admin_url }}
|
auth_url = {{ keystone_admin_url }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
project_domain_id = default
|
project_domain_id = default
|
||||||
|
Loading…
Reference in New Issue
Block a user