Bug #1277193 “Upstream update for h.2 causes keystone error” : Bugs : Cisco Openstack

Mark T. Voelker (mvoelker) on 2014-02-06

Changed in openstack-cisco:
importance:	Undecided → High

Revision history for this message

Mark T. Voelker (mvoelker) wrote on 2014-02-21:

#1

Download full text (7.2 KiB)

A few notes:

1.) Ignore the bit above about no tenant-id being specified. I think that's just log truncation, as the error would be very different if that were what was actually going on:

root@control01:/usr/share/puppet/modules/keystone# /usr/bin/keystone --endpoint http://127.0.0.1:35357/v2.0/ user-role-list --user-id 81b61a28cb6b445ca3c9160f23c48236 --tenant-id
usage: keystone user-role-list [--user <user>] [--tenant <tenant>]
keystone user-role-list: error: argument --tenant/--tenant-id: expected one argument
root@control01:/usr/share/puppet/modules/keystone#

2.) This could be related to an old-but-not-yet-fixed python-keystoneclient bug:

https://bugs.launchpad.net/python-keystoneclient/+bug/1058750

3.) Digging a bit, the --user-id argument in the command is the admin user (which the error message itself also indicates). The missing tenant_id that got truncated out of the message could be for either the 'openstack' or 'services' tenants (the only two that exist on the system at the time). From the error message we know it's the former. Note also that both the admin and service tenants do exist, as does the admin user, and the admin user is assigned to the _member_ role:

A few notes:

1.)  Ignore the bit above about no tenant-id being specified.  I think that's just log truncation, as the error would be very different if that were what was actually going on:

root@control01:/usr/share/puppet/modules/keystone# /usr/bin/keystone --endpoint http://127.0.0.1:35357/v2.0/ user-role-list --user-id 81b61a28cb6b445ca3c9160f23c48236 --tenant-id
usage: keystone user-role-list [--user <user>] [--tenant <tenant>]
keystone user-role-list: error: argument --tenant/--tenant-id: expected one argument
root@control01:/usr/share/puppet/modules/keystone#

2.)  This could be related to an old-but-not-yet-fixed python-keystoneclient bug:

https://bugs.launchpad.net/python-keystoneclient/+bug/1058750

3.)  Digging a bit, the --user-id argument in the command is the admin user (which the error message itself also indicates).  The missing tenant_id that got truncated out of the message could be for either the 'openstack' or 'services' tenants (the only two that exist on the system at the time).  From the error message we know it's the former.  Note also that both the admin and service tenants do exist, as does the admin user, and the admin user is assigned to the _member_ role:

That means there's basically only thing left for the admin.pp manifest to do, which is:

keystone_user_role { "${admin}@${admin_tenant}":
    ensure => present,
    roles  => 'admin',
  }

That's the code that's bonking out here based on the error message.  This basically says to make the admin user ('admin') an admin of the admin tenant ('openstack') (say that three times fast!).  That's where things appear to be falling apart, because if it had worked we should see something like this (I added the admin role here manually myself before running the command below to make sure it wasn't the user-role-add command that was failing):

root@control01:~# /usr/bin/keystone --endpoint http://127.0.0.1:35357/v2.0/ user-role-list --user-id 5d4c0ea62e1e403595d1cd109c9db441 --tenant-id  6b250e187fd44d84a3267ea96298d2bb
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 5d4c0ea62e1e403595d1cd109c9db441 | 6b250e187fd44d84a3267ea96298d2bb |
| 4cddfd1256bc40c7a21b32e50925cbd4 |  admin   | 5d4c0ea62e1e403595d1cd109c9db441 | 6b250e187fd44d84a3267ea96298d2bb |
+----------------------------------+----------+----------------------------------+----------------------------------+
root@control01:~#

So, what's happening is probably something like this:

It's never actually trying to create the mapping because it's failing to populate the object before it gets to the point of wanting to attempt to create the mapping.  When the object is created, part of what it does is build a user/role hash so it knows what mappings already exist.  That's when it calls the user-role-list command, and that's what's returning the error message--possibly due to the aforementioned keystoneclient bug, except that should only happen if the --tenant-id flag wasn't being passed at all (and it clearly was based on the log message).  It's posible we have a new keystoneclient issue here that's the cousin of the one mentioned above.

Workaround: create the mapping manually.  Use the commands above to get the role ID of the 'admin' role, the id of the 'admin' user,  and the ID of the 'openstack' tenant.  Then do:

/usr/bin/keystone --endpoint http://127.0.0.1:35357/v2.0/ user-role-add --user-id insert_your_admin_user_id_here --tenant-id  insert_your_tenant_id_here --role-id insert_your_role_name_here.

Revision history for this message

Mark T. Voelker (mvoelker) wrote on 2014-02-21:

#2

New theory: it's a lazy retrival thing. Since h.1 this patch was introduced to puppet-keystone:

https://github.com/stackforge/puppet-keystone/commit/a0a359801e7248b24d15b3acef3b398d5a2fb65f

That appears to be the source of the borkage, because it breaks if tenant is created after prefetching, a keystone lookup isn't performed. There's a patch out for review on stackforge that fixes the problem:

https://review.openstack.org/#/c/73913/

Revision history for this message

Mark T. Voelker (mvoelker) wrote on 2014-02-24:

#3

https://review.openstack.org/75628 has been pulled in.

Changed in openstack-cisco:
status:	In Progress → Fix Committed

Affects		Status	Importance	Assigned to	Milestone
	Cisco Openstack	Fix Released	High	Mark T. Voelker	Cisco Openstack h.2
	Havana	Fix Released	High	Mark T. Voelker	Cisco Openstack h.2

Cisco Openstack

Upstream update for h.2 causes keystone error

Bug Description

Other bug subscribers

Remote bug watches