From 3a6569960247c578441ee34c1b054da8e77f6481 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Fri, 25 Mar 2022 14:08:17 +0900 Subject: Do not assume keystone admin endpoint keystone does not distinguish public and admin endpoints since Train [1], so there is no need to use a separate endpoint for keystone admin operations. admin endpoint still can be configured but there is no functional difference anymore from other endpoints. We do not need to require admin endpoint and can use an endpoint specified by OPENSTACK_ENDPOINT_TYPE for all API operations. This commit reverts commit f9bab3fe195eb13635aa70cb910d94df98d66cf3 as we no longer need the workaround. [1] https://review.opendev.org/c/openstack/keystone/+/664246 Closes-Bug: #1950659 Change-Id: I2660fd2df8081e1d2d9c84626037f94bd9d137a5 --- .zuul.d/tempest-and-integrated.yaml | 5 ----- openstack_dashboard/api/keystone.py | 9 +++------ ...e-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml | 12 ++++++++++++ 3 files changed, 15 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml diff --git a/.zuul.d/tempest-and-integrated.yaml b/.zuul.d/tempest-and-integrated.yaml index 52ff83eca..df2e9b52a 100644 --- a/.zuul.d/tempest-and-integrated.yaml +++ b/.zuul.d/tempest-and-integrated.yaml @@ -24,11 +24,6 @@ - ^openstack_dashboard/.*/[^/]*\.spec\.js$ - ^horizon/static/.*/[^/]*\.spec\.js$ vars: - devstack_localrc: - # NOTE: workaround for bug 1950659 - # Some horizon integration test start failing after devstack - # stop creating default keystone admin endpoint. - KEYSTONE_ADMIN_ENDPOINT: true devstack_services: horizon: true tox_envlist: integration diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py index 9eb7f1843..d248a223d 100644 --- a/openstack_dashboard/api/keystone.py +++ b/openstack_dashboard/api/keystone.py @@ -157,12 +157,9 @@ def keystoneclient(request, admin=False): if domain_token: token_id = getattr(domain_token, 'auth_token', None) - if admin: - if not policy.check((("identity", "admin_required"),), request): - raise exceptions.NotAuthorized - endpoint_type = 'adminURL' - else: - endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE + if admin and not policy.check((("identity", "admin_required"),), request): + raise exceptions.NotAuthorized + endpoint_type = settings.OPENSTACK_ENDPOINT_TYPE # Take care of client connection caching/fetching a new client. # Admin vs. non-admin clients are cached separately for token matching. diff --git a/releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml b/releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml new file mode 100644 index 000000000..d84e6b012 --- /dev/null +++ b/releasenotes/notes/keystone-admin-endpoint-no-longer-required-06a8d29dfdb3b1cd.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + Horizon no longer requires the keystone admin endpoint. keystone does + not distinguish public and admin endpoints and there is no functional + difference between public and admin endpoints. There is no need for + a separate endpoint for keystone admin operations, but horizon required + the keystone admin endpoint is configured previously. This requirement + no longer exists. An endpoint specified by ``OPENSTACK_ENDPOINT_TYPE`` + setting is used for the keystone admin operations. You can drop + the admin endpoint for keystone (unless other services require it). + [:bug:`1950659`] -- cgit v1.2.1