Changing default_domain_id doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Brant Knudson |
Bug Description
If you change the default_domain_id in keystone.conf, it doesn't take effect everywhere. The problem is that the value is read when modules are imported, but that happens before the call to oslo.conf.
Here's an example:
keystone.
Then later we get into main in keystone-all we finallly call CONF():
so what's going to happen is that DEFAULT_DOMAIN will get a domain_id of the default domain ID and later CONF.identity.
You can see it in the debugger by setting a breakpoint after CONF() and checking the value of the config option and the DEFAULT_DOMAIN.
I'm not sure what all effects this would have.
The fix is to change the keystone server code so that it doesn't read the config value until after CONF(), which means not at import time.
----
I looked through the rest of the code and here's where a static default_domain_id is used, and my guess as to what affect it will have:
o keystone.
- In class Tenant(
- get_projects_
used to filter a list of tenants,
so will get tenants from wrong domain or no tenants/domain not found.
- get_project_
passed to self.assignment
so using v2 API will get project from wrong domain or project/domain not found
- In class Role(controller
- get_role_refs()
will get roles from wrong domain or no roles
- In class DomainV3(
- delete_domain()
would allow deleting the default domain when should not
o keystone.
- Creates a DEFAULT_DOMAIN with { 'id': CONF.identity.
so the id of the default domain will be incorrect.
- this is used by keystone.
- get_domain(), will return domain with incorrect ID
- list_domains(), will return domain with incorrect ID
o keystone.
- will create domain with wrong ID on upgrade
- or fail to delete the domain on downgrade
o keystone.
- will put users with wrong domain
o keystone.
- in class V2Controller
- in _normalize_
- in class V3Controller(
- _get_domain_
will get wrong domain ID for admin token
will get wrong domain ID when no domain in token
o keystone.
- in class User(controller
- in get_user_by_name(),
will get user from wrong domain or domain doesn't exist
o keystone.
- in class BaseProvider(
- in _assert_
- will allow a user in non-default domain (for v2 tokens)
o keystone.
- in class Auth(controller
- in _authenticate_
will get user from wrong domain or won't find user
(so authentication would fail)
- in _authenticate_
will get user from wrong domain
- in _get_project_
will get project from wrong domain or won't find project
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | none → icehouse-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-3 → 2014.1 |
I tried running devstack with a non-default default_project_id. I changed lib/keystone to `iniset $KEYSTONE_CONF identity default_domain_id "blks_domain"`.
Devstack fails when tries to create tenants, and creating users also fails. Here's the output:
... keystone_ accounts .`project` , CONSTRAINT `project_ibfk_1` FOREIGN KEY (`domain_id`) REFERENCES `domain` (`id`))') 'INSERT INTO project (id, name, domain_id, description, enabled, extra) VALUES (%s, %s, %s, %s, %s, %s)' ('96bab9b2790f4 12693732f9d32c3 2cde', 'admin', 'default', None, 1, '{}') (HTTP 409)
+ create_
++ keystone tenant-create --name admin
++ grep ' id '
++ get_field 2
++ read data
Conflict occurred attempting to store project. (IntegrityError) (1452, 'Cannot add or update a child row: a foreign key constraint fails (`keystone`
+ ADMIN_TENANT=
++ keystone user-create --name admin --pass ofs5dac --email <email address hidden>
++ get_field 2
++ grep ' id '
++ read data
Could not find domain, default. (HTTP 404)
...
So it can't create tenants because the ID in the database is "blks_domain"
rather than "domain" so the foreign key constraint fails.
So the migration to insert the default domain is working correctly?
It can't create the admin user because can't find the 'default' domain,
because the domain is actually "blks_domain".