diff --git a/ansible/roles/aodh/templates/aodh.conf.j2 b/ansible/roles/aodh/templates/aodh.conf.j2 index 10d720689c..b92ffdd334 100644 --- a/ansible/roles/aodh/templates/aodh.conf.j2 +++ b/ansible/roles/aodh/templates/aodh.conf.j2 @@ -40,7 +40,7 @@ policy_file = {{ aodh_policy_file }} {% endif %} [service_credentials] -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} region_name = {{ openstack_region_name }} password = {{ aodh_keystone_password }} username = {{ aodh_keystone_user }} diff --git a/ansible/roles/blazar/templates/blazar.conf.j2 b/ansible/roles/blazar/templates/blazar.conf.j2 index a43ce0b9e5..7311b66ecc 100644 --- a/ansible/roles/blazar/templates/blazar.conf.j2 +++ b/ansible/roles/blazar/templates/blazar.conf.j2 @@ -7,7 +7,6 @@ port = {{ blazar_api_port }} os_auth_host = {{ keystone_internal_fqdn }} os_auth_port = {{ keystone_public_port }} os_auth_protocol = {{ internal_protocol }} -os_auth_version = v3 os_admin_username = {{ blazar_keystone_user }} os_admin_password = {{ blazar_keystone_password }} os_admin_project_name = service @@ -21,8 +20,8 @@ plugins = virtual.instance.plugin,physical.host.plugin [keystone_authtoken] service_type = reservation -www_authenticate_uri = {{ keystone_internal_url }}/v3 -auth_url = {{ keystone_internal_url }}/v3 +www_authenticate_uri = {{ keystone_internal_url }} +auth_url = {{ keystone_internal_url }} auth_type = password project_domain_id = default user_domain_id = default diff --git a/ansible/roles/ceilometer/templates/ceilometer.conf.j2 b/ansible/roles/ceilometer/templates/ceilometer.conf.j2 index e87fdb494a..a02ad6ed14 100644 --- a/ansible/roles/ceilometer/templates/ceilometer.conf.j2 +++ b/ansible/roles/ceilometer/templates/ceilometer.conf.j2 @@ -10,7 +10,7 @@ hypervisor_inspector = vsphere {% endif %} [service_credentials] -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} region_name = {{ openstack_region_name }} password = {{ ceilometer_keystone_password }} username = {{ ceilometer_keystone_user }} diff --git a/ansible/roles/common/templates/admin-openrc.sh.j2 b/ansible/roles/common/templates/admin-openrc.sh.j2 index 615c52a34c..2e74ade1be 100644 --- a/ansible/roles/common/templates/admin-openrc.sh.j2 +++ b/ansible/roles/common/templates/admin-openrc.sh.j2 @@ -8,7 +8,7 @@ export OS_PROJECT_NAME={{ keystone_admin_project }} export OS_TENANT_NAME={{ keystone_admin_project }} export OS_USERNAME={{ keystone_admin_user }} export OS_PASSWORD={{ keystone_admin_password }} -export OS_AUTH_URL={{ keystone_internal_url }}/v3 +export OS_AUTH_URL={{ keystone_internal_url }} export OS_INTERFACE=internal export OS_ENDPOINT_TYPE=internalURL {% if enable_manila | bool %} diff --git a/ansible/roles/freezer/templates/freezer.conf.j2 b/ansible/roles/freezer/templates/freezer.conf.j2 index 12189eb508..6301f2cb31 100644 --- a/ansible/roles/freezer/templates/freezer.conf.j2 +++ b/ansible/roles/freezer/templates/freezer.conf.j2 @@ -14,7 +14,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d os_username = {{ openstack_auth.username }} os_password = {{ openstack_auth.password }} -os_auth_url = {{ openstack_auth.auth_url }}/v3 +os_auth_url = {{ openstack_auth.auth_url }} os_project_name = {{ keystone_admin_project }} os_project_domain_name = {{ openstack_auth.domain_name }} # TODO: transition to system scoped token when freezer supports that diff --git a/ansible/roles/glance/templates/glance-swift.conf.j2 b/ansible/roles/glance/templates/glance-swift.conf.j2 index 246958c9b6..22054e5c20 100644 --- a/ansible/roles/glance/templates/glance-swift.conf.j2 +++ b/ansible/roles/glance/templates/glance-swift.conf.j2 @@ -1,6 +1,6 @@ [swift] auth_version = 3 -auth_address = {{ openstack_auth.auth_url }}/v3 +auth_address = {{ openstack_auth.auth_url }} user = service:{{ glance_keystone_user }} key = {{ glance_keystone_password }} project_domain_id = default diff --git a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 index 870f434f4b..0d347e4b68 100644 --- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2 +++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2 @@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password } [keystone_authtoken] service_type = metric -www_authenticate_uri = {{ keystone_internal_url }}/v3 +www_authenticate_uri = {{ keystone_internal_url }} project_domain_id = {{ default_project_domain_id }} project_name = service user_domain_id = {{ default_user_domain_id }} @@ -83,7 +83,7 @@ ceph_keyring = /etc/ceph/{{ ceph_gnocchi_keyring }} ceph_conffile = /etc/ceph/ceph.conf {% elif gnocchi_backend_storage == 'swift' %} driver = swift -swift_authurl = {{ keystone_internal_url }}/v3 +swift_authurl = {{ keystone_internal_url }} swift_auth_version = 3 swift_user = service:{{ swift_keystone_user }} swift_key = {{ swift_keystone_password }} diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2 index 4720870253..88e0076c08 100644 --- a/ansible/roles/heat/templates/heat.conf.j2 +++ b/ansible/roles/heat/templates/heat.conf.j2 @@ -61,7 +61,7 @@ username = {{ heat_keystone_user }} password = {{ heat_keystone_password }} [ec2authtoken] -auth_uri = {{ keystone_internal_url }}/v3 +auth_uri = {{ keystone_internal_url }} [oslo_messaging_notifications] transport_url = {{ notify_transport_url }} diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml index 33efe96afc..d88bb6c01b 100644 --- a/ansible/roles/horizon/defaults/main.yml +++ b/ansible/roles/horizon/defaults/main.yml @@ -122,7 +122,7 @@ horizon_extra_volumes: "{{ default_extra_volumes }}" # OpenStack #################### horizon_logging_debug: "{{ openstack_logging_debug }}" -horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}/v3" +horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}" #################### diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2 index a0aaf8385a..8ca6b74484 100644 --- a/ansible/roles/horizon/templates/local_settings.j2 +++ b/ansible/roles/horizon/templates/local_settings.j2 @@ -224,7 +224,7 @@ WEBSSO_ENABLED = True # Do not remove the mandatory credentials mechanism. # Note: The last two tuples are sample mapping keys to a identity provider # and federation protocol combination (WEBSSO_IDP_MAPPING). -WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3" +WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}" WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), {% for idp in keystone_identity_providers %} @@ -856,7 +856,7 @@ REST_API_REQUIRED_SETTINGS = [ {% if enable_murano | bool and enable_barbican | bool %} KEY_MANAGER = { - 'auth_url': '{{ keystone_internal_url }}/v3', + 'auth_url': '{{ keystone_internal_url }}', 'username': '{{ murano_keystone_user }}', 'user_domain_name': '{{ default_project_domain_name }}', 'password': '{{ murano_keystone_password }}', diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index 5a7051545e..86d1b17959 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -65,7 +65,7 @@ endpoint_type = internalURL ca_file = {{ openstack_cacert }} [keystone_auth] -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} user_domain_name = {{ default_user_domain_name }} project_domain_name = {{ default_project_domain_name }} project_name = service @@ -76,8 +76,7 @@ cafile = {{ openstack_cacert }} [keystone_authtoken] service_type = container-infra -auth_version = v3 -www_authenticate_uri = {{ keystone_internal_url }}/v3 +www_authenticate_uri = {{ keystone_internal_url }} auth_url = {{ keystone_internal_url }} auth_type = password project_domain_name = {{ default_project_domain_name }} diff --git a/ansible/roles/masakari/templates/masakari.conf.j2 b/ansible/roles/masakari/templates/masakari.conf.j2 index 814227332c..a8d16e05c7 100644 --- a/ansible/roles/masakari/templates/masakari.conf.j2 +++ b/ansible/roles/masakari/templates/masakari.conf.j2 @@ -10,7 +10,7 @@ os_region_name = {{ openstack_region_name }} os_user_domain_name = {{ default_user_domain_id }} os_project_domain_name = {{ default_project_domain_id }} os_privileged_user_tenant = service -os_privileged_user_auth_url = {{ keystone_internal_url }}/v3 +os_privileged_user_auth_url = {{ keystone_internal_url }} os_privileged_user_name = {{ nova_keystone_user }} os_privileged_user_password = {{ nova_keystone_password }} nova_ca_certificates_file = {{ openstack_cacert }} @@ -23,7 +23,7 @@ max_retries = -1 [keystone_authtoken] service_type = instance-ha -www_authenticate_uri = {{ keystone_internal_url }}/v3 +www_authenticate_uri = {{ keystone_internal_url }} auth_url = {{ keystone_internal_url }} auth_type = password project_domain_name = {{ default_project_domain_name }} diff --git a/ansible/roles/mistral/templates/mistral.conf.j2 b/ansible/roles/mistral/templates/mistral.conf.j2 index 3f357aae00..50df4d9c26 100644 --- a/ansible/roles/mistral/templates/mistral.conf.j2 +++ b/ansible/roles/mistral/templates/mistral.conf.j2 @@ -40,8 +40,8 @@ max_retries = -1 [keystone_authtoken] service_type = workflow -www_authenticate_uri = {{ keystone_internal_url }}/v3 -auth_url = {{ keystone_internal_url }}/v3 +www_authenticate_uri = {{ keystone_internal_url }} +auth_url = {{ keystone_internal_url }} auth_type = password project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2 index 6bd30f20d6..1545690630 100644 --- a/ansible/roles/murano/templates/murano.conf.j2 +++ b/ansible/roles/murano/templates/murano.conf.j2 @@ -38,7 +38,7 @@ memcache_secret_key = {{ memcache_secret_key }} memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} [murano_auth] -auth_uri = {{ keystone_internal_url }}/v3 +auth_uri = {{ keystone_internal_url }} auth_url = {{ keystone_internal_url }} auth_type = password project_domain_name = {{ default_project_domain_name }} @@ -86,7 +86,7 @@ virtual_host = {{ murano_agent_rabbitmq_vhost }} {% if enable_barbican | bool %} [key_manager] auth_type = keystone_password -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} username = {{ murano_keystone_user }} password = {{ murano_keystone_password }} user_domain_name = {{ default_project_domain_name }} diff --git a/ansible/roles/nova-cell/templates/nova.conf.j2 b/ansible/roles/nova-cell/templates/nova.conf.j2 index e087f09b9a..67547b1f26 100644 --- a/ansible/roles/nova-cell/templates/nova.conf.j2 +++ b/ansible/roles/nova-cell/templates/nova.conf.j2 @@ -84,7 +84,7 @@ proxyclient_address = {{ api_interface_address }} [ironic] username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} -auth_url = {{ openstack_auth.auth_url }}/v3 +auth_url = {{ openstack_auth.auth_url }} cafile = {{ openstack_cacert }} auth_type = password project_name = service diff --git a/ansible/roles/octavia/templates/octavia-openrc.sh.j2 b/ansible/roles/octavia/templates/octavia-openrc.sh.j2 index 4833855b0b..f0f38e0c89 100644 --- a/ansible/roles/octavia/templates/octavia-openrc.sh.j2 +++ b/ansible/roles/octavia/templates/octavia-openrc.sh.j2 @@ -5,6 +5,6 @@ export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME={{ octavia_service_auth_project }} export OS_USERNAME={{ octavia_keystone_user }} export OS_PASSWORD={{ octavia_keystone_password }} -export OS_AUTH_URL={{ keystone_internal_url }}/v3 +export OS_AUTH_URL={{ keystone_internal_url }} export OS_INTERFACE=internal export OS_ENDPOINT_TYPE=internalURL diff --git a/ansible/roles/prometheus/templates/clouds.yml.j2 b/ansible/roles/prometheus/templates/clouds.yml.j2 index 38d4a92383..4a5bb2763d 100644 --- a/ansible/roles/prometheus/templates/clouds.yml.j2 +++ b/ansible/roles/prometheus/templates/clouds.yml.j2 @@ -11,4 +11,4 @@ clouds: project_domain_name: 'Default' user_domain_name: 'Default' cacert: {{ openstack_cacert }} - auth_url: {{ keystone_internal_url }}/v3 + auth_url: {{ keystone_internal_url }} diff --git a/ansible/roles/sahara/templates/sahara.conf.j2 b/ansible/roles/sahara/templates/sahara.conf.j2 index 6d884bb28d..fe34315b4f 100644 --- a/ansible/roles/sahara/templates/sahara.conf.j2 +++ b/ansible/roles/sahara/templates/sahara.conf.j2 @@ -61,5 +61,5 @@ project_name = service user_domain_name = {{ default_user_domain_name }} username = {{ sahara_keystone_user }} password = {{ sahara_keystone_password }} -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} cafile = {{ openstack_cacert }} diff --git a/ansible/roles/skydive/templates/skydive-agent.conf.j2 b/ansible/roles/skydive/templates/skydive-agent.conf.j2 index 34dba6716c..69fda2b272 100644 --- a/ansible/roles/skydive/templates/skydive-agent.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2 @@ -47,7 +47,7 @@ agent: ### TODO migrate from tenant_name to system_scope when supported in skydive neutron: - auth_url: {{ keystone_internal_url }}/v3 + auth_url: {{ keystone_internal_url }} username: {{ openstack_auth['username'] }} password: {{ openstack_auth['password'] }} tenant_name: {{ skydive_admin_tenant_name }} diff --git a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 index 551b8dc65a..86fe018fd9 100644 --- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 +++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2 @@ -4,7 +4,7 @@ auth: keystone: type: keystone - auth_url: {{ keystone_internal_url }}/v3 + auth_url: {{ keystone_internal_url }} region_name: {{ openstack_region_name }} tenant_name: {{ skydive_admin_tenant_name }} domain_name: Default diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index 42f87ee537..734299f628 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -99,5 +99,5 @@ use = egg:swift#s3api [filter:s3token] use = egg:swift#s3token -auth_uri = {{ keystone_internal_url }}/v3 +auth_uri = {{ keystone_internal_url }} {% endif %} diff --git a/ansible/roles/trove/templates/trove.conf.j2 b/ansible/roles/trove/templates/trove.conf.j2 index 7f12ffc10f..cd878394aa 100644 --- a/ansible/roles/trove/templates/trove.conf.j2 +++ b/ansible/roles/trove/templates/trove.conf.j2 @@ -35,7 +35,7 @@ network_driver = trove.network.neutron.NeutronDriver control_exchange = trove [service_credentials] -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} region_name = {{ openstack_region_name }} project_name = service password = {{ trove_keystone_password }} diff --git a/ansible/roles/vitrage/templates/vitrage.conf.j2 b/ansible/roles/vitrage/templates/vitrage.conf.j2 index 04472f4a40..f4750491b8 100644 --- a/ansible/roles/vitrage/templates/vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/vitrage.conf.j2 @@ -45,7 +45,7 @@ memcache_secret_key = {{ memcache_secret_key }} memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} [service_credentials] -auth_url = {{ keystone_internal_url }}/v3 +auth_url = {{ keystone_internal_url }} region_name = {{ openstack_region_name }} auth_type = password project_domain_id = {{ default_project_domain_id }} diff --git a/doc/source/reference/logging-and-monitoring/monasca-guide.rst b/doc/source/reference/logging-and-monitoring/monasca-guide.rst index df5dd5a420..12fa09a9e4 100644 --- a/doc/source/reference/logging-and-monitoring/monasca-guide.rst +++ b/doc/source/reference/logging-and-monitoring/monasca-guide.rst @@ -114,19 +114,18 @@ additional configuration: .. code-block:: yaml - keystone_admin_url: "http://172.28.128.254:35357" keystone_internal_url: "http://172.28.128.254:5000" monasca_openstack_auth: - auth_url: "{{ keystone_admin_url }}" + auth_url: "{{ keystone_internal_url }}" username: "admin" password: "{{ external_keystone_admin_password }}" project_name: "admin" domain_name: "default" user_domain_name: "default" -In this example it is assumed that the external Keystone admin and internal -URLs are `http://172.28.128.254:35357` and `http://172.28.128.254:5000` -respectively, and that the external Keystone admin password is defined by +In this example it is assumed that the external Keystone's internal URL is +`http://172.28.128.254:5000`, and that the external Keystone's admin password +is defined by the variable `external_keystone_admin_password` which you will most likely want to save in `/etc/kolla/passwords.yml`. Note that the Keystone URLs can be obtained from the external OpenStack CLI, for example: @@ -134,13 +133,12 @@ be obtained from the external OpenStack CLI, for example: .. code-block:: console openstack endpoint list --service identity - +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+ - | ID | Region | Service Name | Service Type | Enabled | Interface | URL | - +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+ - | 162365440e6c43d092ad6069f0581a57 | RegionOne | keystone | identity | True | admin | http://172.28.128.254:35357 | - | 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone | identity | True | public | http://172.28.128.254:5000 | - | e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone | identity | True | internal | http://172.28.128.254:5000 | - +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+ + +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ + | ID | Region | Service Name | Service Type | Enabled | Interface | URL | + +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ + | 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone | identity | True | public | http://172.28.128.254:5000 | + | e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone | identity | True | internal | http://172.28.128.254:5000 | + +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ If you are also using Kolla Ansible to manage the external OpenStack installation, the external Keystone admin password will most likely diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst index 166c39991c..5485bb3246 100644 --- a/doc/source/user/multi-regions.rst +++ b/doc/source/user/multi-regions.rst @@ -9,7 +9,7 @@ with Kolla. A basic multiple region deployment consists of separate OpenStack installations in two or more regions (RegionOne, RegionTwo, ...) with a shared Keystone and Horizon. The rest of this documentation assumes Keystone and Horizon are deployed in RegionOne, and other regions have -access to the admin endpoint (for example, ``kolla_internal_fqdn``) of +access to the internal endpoint (for example, ``kolla_internal_fqdn``) of RegionOne. It also assumes that the operator knows the name of all OpenStack regions in advance, and considers as many Kolla deployments as there are regions. @@ -69,11 +69,10 @@ the value of ``kolla_internal_fqdn`` in RegionOne: kolla_internal_fqdn_r1: 10.10.10.254 - keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" openstack_auth: - auth_url: "{{ keystone_admin_url }}" + auth_url: "{{ keystone_internal_url }}" username: "{{ keystone_admin_user }}" password: "{{ keystone_admin_password }}" user_domain_name: "{{ default_user_domain_name }}" @@ -97,7 +96,7 @@ create a ``global.conf`` file with the following content: [keystone_authtoken] www_authenticate_uri = {{ keystone_internal_url }} - auth_url = {{ keystone_admin_url }} + auth_url = {{ keystone_internal_url }} The Placement API section inside the nova configuration file also has to be updated to contact RegionOne's Keystone. So create, in the same @@ -106,7 +105,7 @@ directory, a ``nova.conf`` file with below content: .. code-block:: ini [placement] - auth_url = {{ keystone_admin_url }} + auth_url = {{ keystone_internal_url }} The Heat section inside the configuration file also has to be updated to contact RegionOne's Keystone. So create, in the same