From 841fdafa0bc542b595b267428c5d929bf0726205 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Sun, 21 Jun 2015 10:08:22 -0500 Subject: [PATCH] Use path-mounted keystone when running in httpd When running in httpd, keystone accepts requests on /identity and /identity_v2_admin. The path endpoints should be preferred over the ports so keystone is configured to point applications to the path endpoints by setting admin_endpoint and public_endpoint. Change-Id: I34569b9e03c3f36748c92d803349e22a7ee1a633 --- files/apache-keystone.template | 4 ++-- lib/keystone | 31 ++++++++++++++++++++++++++----- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/files/apache-keystone.template b/files/apache-keystone.template index 428544f25c..8a4b0f0c43 100644 --- a/files/apache-keystone.template +++ b/files/apache-keystone.template @@ -44,8 +44,8 @@ Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public WSGIPassAuthorization On -Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin - +Alias /identity_v2_admin %KEYSTONE_BIN%/keystone-wsgi-admin + SetHandler wsgi-script Options +ExecCGI diff --git a/lib/keystone b/lib/keystone index bcd5fab40c..1305623cb9 100644 --- a/lib/keystone +++ b/lib/keystone @@ -122,8 +122,14 @@ if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then fi # complete URIs -KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} -KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} +if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then + # If running in Apache, use path access rather than port. + KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_v2_admin + KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity +else + KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} + KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} +fi # V3 URIs KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 @@ -259,7 +265,15 @@ function configure_keystone { # Set the service ports for a proxy to take the originals service_port=$KEYSTONE_SERVICE_PORT_INT auth_port=$KEYSTONE_AUTH_PORT_INT + fi + # Override the endpoints advertised by keystone (the public_endpoint and + # admin_endpoint) so that clients use the correct endpoint. By default, the + # keystone server uses the public_port and admin_port which isn't going to + # work when you want to use a different port (in the case of proxy), or you + # don't want the port (in the case of putting keystone on a path in + # apache). + if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI fi @@ -582,7 +596,14 @@ function start_keystone { # Check that the keystone service is running. Even if the tls tunnel # should be enabled, make sure the internal port is checked using # unencryted traffic at this point. - if ! wait_for_service $SERVICE_TIMEOUT $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/; then + # If running in Apache, use the path rather than port. + + local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ + if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then + service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ + fi + + if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then die $LINENO "keystone did not start" fi @@ -625,8 +646,8 @@ function bootstrap_keystone { --bootstrap-service-name keystone \ --bootstrap-region-id "$REGION_NAME" \ --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \ - --bootstrap-public-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" \ - --bootstrap-internal-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" + --bootstrap-public-url "$KEYSTONE_SERVICE_URI" \ + --bootstrap-internal-url "$KEYSTONE_SERVICE_URI" } # Restore xtrace