Openstack Keystone version v2 and v3: what and when to use?

[AJNOURI]

I am using openstack command with keystone v3 API (http://X.X.239.4:5000/v3/) as follow:

openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint list
+----------------------------------+-----------+--------------+----------------+
| ID                               | Region    | Service Name | Service Type   |
+----------------------------------+-----------+--------------+----------------+
| 3d3605860ed144b584b40b059210add7 | RegionOne | swift        | object-store   |
| 5a24c9b20a874d0aae89a3013ec9773a | RegionOne | heat         | orchestration  |
| 0f9ef30badc54af3984327fea4ba49b1 | RegionOne | nova_legacy  | compute_legacy |
| 544e4daa8f3b41648654876a0cad7b06 | RegionOne | ec2          | ec2            |
| 8f901675d8504a5dad0039093c2d18e4 | RegionOne | nova         | compute        |
| 4ea0ca4e7ed04d19a76d48a0977e7c6d | RegionOne | heat-cfn     | cloudformation |
| 7c269c7ae8664d1aa06014b30d55fe37 | RegionOne | glance       | image          |
| 735bfa3e5c2c4981a4a3f47d55b38d0f | RegionOne | neutron      | network        |
| 8685440e3d73467792b6c106a8d9087c | RegionOne | keystone     | identity       |
| 28e29f53d54c4590b79a80f3036270da | RegionOne | cinderv2     | volumev2       |
| b5b9a6fd79b241d3bdfb46d75d94c698 | RegionOne | cinder       | volume         |
| 397dfa4339e5419c9ce2e0ac9f2d7883 | RegionOne | s3           | s3             |
+----------------------------------+-----------+--------------+----------------+

But when inspecting keystone endpoint I got v2 as OS auth url

openstack --os-auth-url http://X.X.239.4:5000/v3/ --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| adminurl     | http://X.X.239.4:35357/v2.0  |
| enabled      | True                             |
| id           | 8685440e3d73467792b6c106a8d9087c |
| internalurl  | http://X.X.239.4:5000/v2.0   |
| publicurl    | http://X.X.239.4:5000/v2.0   |
| region       | RegionOne                        |
| service_id   | 58c80619effb4cf7896d309d169d0f20 |
| service_name | keystone                         |
| service_type | identity                         |
+--------------+----------------------------------+

If I reissue the openstack command using v2 url (http://X.X.239.4:35357/v2.0) doesn't accept the url version:

openstack --os-auth-url http://X.X.239.4:35357/v2.0 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password endpoint show 8685440e3d73467792b6c106a8d9087c
Could not determine a suitable URL for the plugin

Are they both keystone authentication url versions serving different purpose?

[AJNOURI]

I've collected the result of some commands hopping to have better view of the big picture.

Identity version 2.0 (http://X.X.223.25:5000/v2.0)

NOK = Could not determine a suitable URL for the plugin

Identity version 3 (http://X.X.223.25:5000/v3)

• NOK =Authorization failed the resource could not be found (HTTP 404)
• NOK1=Authorization failed. Authorization failed the resource could not be found

Stange that keystone.conf doesn't seem to have any reference to any auth_url:

cat /etc/keystone/keystone.conf | grep -v ^# | grep -v ^$

[DEFAULT]
max_token_size = 16384
logging_exception_prefix = %(process)d TRACE %(name)s %(instance)s
logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
logging_context_format_string = %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
debug = True
admin_token = openstack
rpc_backend = rabbit
[assignment]
driver = sql
[auth]
[cache]
[catalog]
driver = sql
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://root:[email protected]/keystone?charset=utf8
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
admin_workers = 2
admin_bind_host = 162.242.223.25
[eventlet_server_ssl]
[federation]
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
[identity]
driver = sql
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[matchmaker_ring]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_qpid]
[oslo_messaging_rabbit]
rabbit_userid = stackrabbit
rabbit_password = openstack
rabbit_hosts = 162.242.223.25
[oslo_middleware]
[oslo_policy]
[paste_deploy]
config_file = /etc/keystone/keystone-paste.ini
[policy]
[resource]
[revoke]
[role]
[saml]
[signing]
[ssl]
[token]
driver = sql
[tokenless_auth]
[trust]

[AJNOURI]

Knowing that:

• openstack unified API supports both v3 and v2 for backwards compatibility.
• python-keystoneclient only supports the Identity v2.0 API

-This explains why keystone client doesn't work with API identity v3 (NOK in 2nd table).
-The following link may suggest that swift is not properly configured for v3 auth_url (NOK1 in 2nd table).