OpenStack Services Should Use keystone_internal_url for auth

Horizon and Neutron mistakenly were using keystone_public_url
for authentication.  This works without error in deployments
when the internal services happen to have access to the
public network, but it is still wrong.  This fails to work
when the internal services can not access the public URLs,
for example when TLS is enabled on the public endppoints.

This patches corrects horizon and neutron to use
keystone_internal_url for auth.

Change-Id: I59b9094364bef375036028ba86a771dabf28c963
Closes-bug: #1625648
This commit is contained in:
Dave McCowan 2016-10-15 18:50:41 -04:00
parent 57203424c2
commit cc2dde0854
2 changed files with 2 additions and 2 deletions

View File

@ -192,7 +192,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}" OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}"
OPENSTACK_KEYSTONE_URL = "{{ keystone_public_url }}" OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}"
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}"
# Enables keystone web single-sign-on if set to True. # Enables keystone web single-sign-on if set to True.

View File

@ -72,7 +72,7 @@ connection = mysql+pymysql://{{ neutron_database_user }}:{{ neutron_database_pas
max_retries = -1 max_retries = -1
[keystone_authtoken] [keystone_authtoken]
auth_uri = {{ keystone_public_url }} auth_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }} auth_url = {{ keystone_admin_url }}
auth_type = password auth_type = password
project_domain_id = default project_domain_id = default