Create tenants, users, and roles in OpenStack Installation Guide for Ubuntu 14.04  - juno

Bug #1403136 reported by Chris Buccella
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Low
Lance Bragstad
openstack-manuals
Fix Released
Low
Matt Kassawara

Bug Description

"e. By default, the dashboard limits access to users with the _member_ role. Create the _member_ role:"

The first sentence is true, but keystone will automatically create the _member_ role if it does not exist.

I discovered this while tracking down an error: "keystone user-create" resulted in a "duplicate entry" error. The sequence is like this:

1) As described in the doc, I run "keystone role-create --name _member_". The role is created and assigned a random ID.
2) On "user-create", keystone wants to assign the _member_ role to the new user. It looks up member_role_id in keystone.conf, finds none (the member_role_id does not match the ID from step 1)
3) keystone now tries to create the _member_ role, but this fails since the name already exists.

So by not creating the "_member_" role myself, the problem is averted. That's why I'm opening a bug against docs.... another fix would be for keystone to do the lookup by name instead, but I assume the keystone team has a good reason for not doing so.

I'm using the v2 API with SQL backend.

-----------------------------------
Built: 2014-12-09T01:28:32 00:00
git SHA: 6d3c276487be990722bc423642ffb05217d77289
URL: http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-users.html
source File: file:/home/jenkins/workspace/openstack-manuals-tox-doc-publishdocs/doc/install-guide/section_keystone-users.xml
xml:id: keystone-users

Revision history for this message
LKP (lkernelpanic) wrote :

This problem is also affects the guides "Create tenants, users, and roles in OpenStack Installation Guide for Red Hat Enterprise Linux 7, CentOS 7, and Fedora 20  - juno" and Create tenants, users, and roles in OpenStack Installation Guide for OpenSUSE 13.1 and SUSE Linux Enterprise Server 11 SP3 - juno"

A fix for those affected after following the current guides is to get the current key of the admin role (keystone role-list | awk '/ _member_ / {print $2}') and set that key in member_role_id in /etc/keystone/keystone.conf

Revision history for this message
Tom Fifield (fifieldt) wrote :

Many thanks for the reports.

We'll need to look into when this changed (probably some time around Juno release candidates?) to make appropriate fixes to the docs.

Changed in openstack-manuals:
milestone: none → kilo
Changed in openstack-manuals:
status: New → Confirmed
Changed in openstack-manuals:
assignee: nobody → Matt Kassawara (ionosphere80)
importance: Undecided → Medium
Revision history for this message
Dolph Mathews (dolph) wrote :

I think I understand why the manual specifies that the deployer should "create the _member_" role using "keystone role-create --name _member_" (to support the explicit assignment in the following step), but I'd recommend removing that instruction as a starting point to addressing this issue. I'm not sure what to do about the following step that utilizes the _member_ role, though, other than avoid using _member_ (in that specific case, the admin user is being assigned a _member_ role on the admin tenant ... whereas this would normally only be an "admin" role assignment and you're done).

Background: keystone actually creates this role for you automatically, as needed, to provide backwards compatibility for v2 calls wherein default tenancy is used. The gist is that we want authorization assignments to be an explicit triplet in v3. For example user + project + role. v2's notion of default tenancy means that no specific role is involved, so Keystone creates the _member_ role if it doesn't already exist, so that the assignment can be explicit. Keystone has a pre-conceived member_role_name and member_role_id in keystone.conf that is used whenever the _member_ role comes into play.

The behavior described in the report is then accurate: the "_member_ " role is successfully created manually, but when it's used by user-create with default tenancy, the member_role_id in keystone.conf does not match _member_'s ID in the backend (so it's not found), and thus Keystone tries to create the role again, resulting in a 409 Conflict (duplicate role name: _member_).

It might be possible for Keystone to avoiding putting you in this scenario by having Keystone notice the role you're trying to create, and then at least ensuring that's its created as defined in keystone.conf. So I'm going to add Keystone here as well.

Changed in openstack-manuals:
assignee: Matt Kassawara (ionosphere80) → nobody
importance: Medium → Undecided
assignee: nobody → Matt Kassawara (ionosphere80)
tags: added: user-experience
Changed in keystone:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/142893

Dolph Mathews (dolph)
Changed in keystone:
assignee: nobody → Dolph Mathews (dolph)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/142897

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

I will test possible solutions for this issue on Juno.

Changed in openstack-manuals:
importance: Undecided → Low
milestone: kilo → none
Dolph Mathews (dolph)
tags: added: icehouse-backport-potential juno-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/143215

Changed in openstack-manuals:
status: Confirmed → In Progress
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

During further investigation, I found that the following commands trigger keystone to automatically create the '_member_' role:

keystone user-create --name admin --tenant admin --pass secrete
openstack user create --project admin admin --password secrete

The 'keystone user-create' command in the installation guide lacks the '--tenant' option that appears to trigger this operation.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/143215
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=14e6c86d5a457dbbb90690d55655a4532919255a
Submitter: Jenkins
Branch: master

commit 14e6c86d5a457dbbb90690d55655a4532919255a
Author: Matthew Kassawara <email address hidden>
Date: Fri Dec 19 16:30:53 2014 -0600

    Fix conflicts with _member_ role creation

    Historically, the installation guide manually created the
    internal _member_ role to resolve issues with horizon.
    However, keystone will preferably create the _member_ role
    automatically if the 'user-create' command includes the
    '--tenant' option.

    Change-Id: I1a67db2b6aa6a8e2bfd76cc80db1fb09fa353986
    Closes-Bug: #1403136
    backport: juno

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/143509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/juno)

Reviewed: https://review.openstack.org/143509
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=311bfdb884a26f75b68d9345036ecb6146b65b32
Submitter: Jenkins
Branch: stable/juno

commit 311bfdb884a26f75b68d9345036ecb6146b65b32
Author: Matthew Kassawara <email address hidden>
Date: Fri Dec 19 16:30:53 2014 -0600

    Fix conflicts with _member_ role creation

    Historically, the installation guide manually created the
    internal _member_ role to resolve issues with horizon.
    However, keystone will preferably create the _member_ role
    automatically if the 'user-create' command includes the
    '--tenant' option.

    Change-Id: I1a67db2b6aa6a8e2bfd76cc80db1fb09fa353986
    Closes-Bug: #1403136
    backport: juno
    (cherry picked from commit 14e6c86d5a457dbbb90690d55655a4532919255a)

tags: added: in-stable-juno
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

After further discussion with Dolph, I'm reopening this bug to address a minor issue with the patch. The installation guide should only specify a tenant (--tenant) during creation of the 'demo' user.

Changed in openstack-manuals:
status: Fix Released → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/143519

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/143519
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=549be4ba1d84ba749ea79c7a0d1e8953ef9d4cfd
Submitter: Jenkins
Branch: master

commit 549be4ba1d84ba749ea79c7a0d1e8953ef9d4cfd
Author: Matthew Kassawara <email address hidden>
Date: Mon Dec 22 13:33:13 2014 -0600

    Fix additional issue with _member_ role creation

    I removed the '--tenant' option from the admin user/tenant
    creation step because the latter needs only the admin role.
    Also, I provided an explanation about automatic assignment
    and/or creation of the _member_ role.

    Change-Id: I036ae43b73c8ca469e04e8090e197d57a7a5f5d0
    Closes-Bug: #1403136
    backport: juno

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/143682

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/juno)

Reviewed: https://review.openstack.org/143682
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=cdee7ddb42b1a7b6e42f51ce95a7f6a7b30a5e51
Submitter: Jenkins
Branch: stable/juno

commit cdee7ddb42b1a7b6e42f51ce95a7f6a7b30a5e51
Author: Matthew Kassawara <email address hidden>
Date: Mon Dec 22 13:33:13 2014 -0600

    Fix additional issue with _member_ role creation

    I removed the '--tenant' option from the admin user/tenant
    creation step because the latter needs only the admin role.
    Also, I provided an explanation about automatic assignment
    and/or creation of the _member_ role.

    Change-Id: I036ae43b73c8ca469e04e8090e197d57a7a5f5d0
    Closes-Bug: #1403136
    backport: juno
    (cherry picked from commit 549be4ba1d84ba749ea79c7a0d1e8953ef9d4cfd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (stable/icehouse)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/142893
Reason: master patch needs revision first

Changed in keystone:
milestone: none → kilo-rc1
Changed in keystone:
assignee: Dolph Mathews (dolph) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/142897
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a0c98c0d425fef3f906d76c5d5406389c5d3a974
Submitter: Jenkins
Branch: master

commit a0c98c0d425fef3f906d76c5d5406389c5d3a974
Author: Dolph Mathews <email address hidden>
Date: Thu Dec 18 14:03:39 2014 -0600

    create _member_ role as specified in CONF

    This handles the scenario where a client tries to manually create the
    role with the same name as the "member" role defined in CONF by
    assigning the configured member role ID from CONF as well, instead of
    randomly assigning a unique ID.

    Change-Id: Ib4a702e27da9903df85b774d7442bb98edfefec1
    Closes-Bug: 1403136

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-rc1 → 2015.1.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.