admin_domain_id in policy.json is not populated on non-leader HA units (API v3)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystone (Juju Charms Collection) |
Fix Released
|
High
|
Frode Nordahl |
Bug Description
When deploying keystone in a HA setup with multiple units and preferred-
This data is generated and stored on disk, and is never transferred to peer units. It seems other information is transferred using peer storage such as in get_admin_
Most likely the admin_domain_id and default_domain_id code should be updated to use peerstorage/
lathiat@
- Stdout: |2
"cloud_admin": "rule:admin_
UnitId: keystone/0
- Stdout: |2
"cloud_admin": "rule:admin_
UnitId: keystone/1
This is populated by {{ admin_domain_id }}(templates/
hooks/keystone_
ctxt['admin_
get_admin_
hooks/keystone_
def get_admin_
return get_file_
hooks/keystone_
def get_file_
domain_id = None
if os.path.
log("Loading stored domain id from {}".format(
level=INFO)
with open(backing_file, 'r') as fd:
domain_id = fd.readline(
return domain_id
tags: | added: ks-v3 openstack |
Changed in keystone (Juju Charms Collection): | |
milestone: | none → 17.01 |
importance: | Undecided → Critical |
Changed in keystone (Juju Charms Collection): | |
status: | Incomplete → Opinion |
status: | Opinion → Confirmed |
Changed in keystone (Juju Charms Collection): | |
assignee: | Trent Lloyd (lathiat) → Frode Nordahl (fnordahl) |
tags: | added: backport-potential sts |
Changed in keystone (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Trent, having looked at this I think we need some more info. Specifically, what error does this actually produce on the service side? I presume that whatever error it is it will be only part of the time since requests are load-balanced and those that hit the leader that is configured properly will succeed. If you provide error logs from a service endpoint that is requiring these credentials that would be very useful.