From cc2dde0854e72ed3361f8a7b54cde091a04e17cc Mon Sep 17 00:00:00 2001 From: Dave McCowan Date: Sat, 15 Oct 2016 18:50:41 -0400 Subject: [PATCH] OpenStack Services Should Use keystone_internal_url for auth Horizon and Neutron mistakenly were using keystone_public_url for authentication. This works without error in deployments when the internal services happen to have access to the public network, but it is still wrong. This fails to work when the internal services can not access the public URLs, for example when TLS is enabled on the public endppoints. This patches corrects horizon and neutron to use keystone_internal_url for auth. Change-Id: I59b9094364bef375036028ba86a771dabf28c963 Closes-bug: #1625648 --- ansible/roles/horizon/templates/local_settings.j2 | 2 +- ansible/roles/neutron/templates/neutron.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/horizon/templates/local_settings.j2 b/ansible/roles/horizon/templates/local_settings.j2 index c5abb28d32..891b19441b 100644 --- a/ansible/roles/horizon/templates/local_settings.j2 +++ b/ansible/roles/horizon/templates/local_settings.j2 @@ -192,7 +192,7 @@ EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' OPENSTACK_HOST = "{% if orchestration_engine == 'KUBERNETES' %}{{ api_interface_address }}{% else %}{{ kolla_internal_fqdn }}{% endif %}" -OPENSTACK_KEYSTONE_URL = "{{ keystone_public_url }}" +OPENSTACK_KEYSTONE_URL = "{{ keystone_internal_url }}" OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{ horizon_openstack_keystone_default_role }}" # Enables keystone web single-sign-on if set to True. diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2 index 6b899ed0c0..d9f6256220 100644 --- a/ansible/roles/neutron/templates/neutron.conf.j2 +++ b/ansible/roles/neutron/templates/neutron.conf.j2 @@ -72,7 +72,7 @@ connection = mysql+pymysql://{{ neutron_database_user }}:{{ neutron_database_pas max_retries = -1 [keystone_authtoken] -auth_uri = {{ keystone_public_url }} +auth_uri = {{ keystone_internal_url }} auth_url = {{ keystone_admin_url }} auth_type = password project_domain_id = default