Set Keystone v3 API endpoints in Packstack Newton

The dev team at my current workplace has created an app which integrates with Openstack Newton however they only use the Keystone v3 API. I deployed Newton using the centos 7 release version from the repo enabled by the centos-release-openstack-newton package from EPEL. I deployed two nodes, one controller and one compute on top of CentOS 7.4

As recently as Openstack Mitaka, packstack deployment using Keystone v3 API failed when running the cinder.pp puppet manifest but this issue has been fixed in RDO Openstack Newton packstack deployment. To enable Keystone v3 API, simply edit the following in your packstack answer file:

CONFIG_KEYSTONE_API_VERSION=v3

Then run packstack with packstack --answer-file and the installation will complete successfully.

However, if you go into the Horizon dashboard Admin -> System Info menu, you will see that the Keystone endpoints are still set to v2.0. You can also verify this from the openstack commandline (make sure you have python-openstackclient package installed):

[root@newtonctrl ~(keystone_admin)]# openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                             |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
...
| 1ed930a5fad64fdb93cab8c5647a8bbe | RegionOne | keystone     | identity       | True    | internal  | http://172.16.11.201:5000/v2.0                  |
| 403c6f321b364dde821c6057fc81fca4 | RegionOne | keystone     | identity       | True    | public    | http://172.16.11.201:5000/v2.0                  |

| b412ae6f0b0446dcac3d75e68a30803e | RegionOne | keystone     | identity       | True    | admin     | http://172.16.11.201:35357/v2.0                 |
...


In this situation, if you make a curl request to the above endpoints but replace v2.0 with v3, the token payload will still contain Keystone v2.0 endpoints (it simply redirects v3 requests to v2.0). Keystone will still respond on the v3 endpoint, but the payload will use v2.0 formatting. This can be a problem for apps which expect a JSON dump using v3 fields and formats. Therefore I had to manually change the Keystone endpoints to v3.

 In Openstack Newton you can create(delete), and enable(disable) endpoints using the "openstack endpoint create(delete)" and "openstack endpoint set --enable(disable) UUID" commands.

Create Keystone v3 API endpoints

[root@newtonctrl ~(keystone_admin)]# openstack endpoint create identity --region RegionOne public http://172.16.11.201:5000/v3

Repeat this for each service type (i.e. internal, admin, and public).

Disable Keystone v2.0 API endpoints

[root@newtonctrl ~(keystone_admin)]# openstack endpoint set --disable 1ed930a5fad64fdb93cab8c5647a8bbe

Repeat this for each Keystone v2.0 API endpoint UUID.

[root@newtonctrl ~(keystone_admin)]# openstack endpoint list | grep keystone
| 1ed930a5fad64fdb93cab8c5647a8bbe | RegionOne | keystone     | identity       | False   | internal  | http://172.16.11.201:5000/v2.0                  |
| 403c6f321b364dde821c6057fc81fca4 | RegionOne | keystone     | identity       | False   | public    | http://172.16.11.201:5000/v2.0                  |
| 7cf272994522455790d7dd5a0420b150 | RegionOne | keystone     | identity       | True    | internal  | http://172.16.11.201:5000/v3                    |
| ab64142376ae4aa68e832479295ed301 | RegionOne | keystone     | identity       | True    | public    | http://172.16.11.201:5000/v3                    |
| b412ae6f0b0446dcac3d75e68a30803e | RegionOne | keystone     | identity       | False   | admin     | http://172.16.11.201:35357/v2.0                 |
| e6891754ac154db1b8e32d7f5d67578a | RegionOne | keystone     | identity       | True    | admin     | http://172.16.11.201:5000/v3                    |

You can see that the v2.0 Keystone API endpoints are set to False in the "Enabled" field, while the v3 endpoints are set to True for the same field. If this is not reflected in the Horizon UI, you may have to erase your web browser cache and reload the page. I'm not sure if this issue has been fixed in RDO Ocata, but I plan to file a bug report on Red Hat Bugzilla.