Instance creation fails with SSL, keystone v3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Nova Cloud Controller Charm |
Invalid
|
Undecided
|
Unassigned |
Bug Description
OS version is Ocata, with SSL enabled across the entire cloud.
Using the Keystone-LDAP charm to allow AD user authentication to the OS deployment. AD admin users can login, and have limited admin access.
If an AD user is added to a project on either the AD domain or the admin_default domain as an admin, they are able to request an instance but the instance creation errors out with: http://
There is an associated error in nova-cloud-
Creating an instance with a local administrator on the admin_domain domain on a project in the admin domain works without issue. However it does not work while logged in as a local administrator (who has admin rights added) on a project created in the AD domain.
The root of the issue seems to be communication between the nova scheduler and the nova placement api, specifically where if a token originates from the AD domain it has insufficient privileges to perform administrative action between services.
Changed in charm-nova-cloud-controller: | |
status: | New → Incomplete |
Changed in nova: | |
status: | New → Incomplete |
tags: | added: adrastea |
description: | updated |
description: | updated |
description: | updated |
Ryan,
Please let us know what information is needed as this bug is set to incomplete.
Michael, /paste. ubuntu. com/ and if necessary sanitize any sensitive data.
Thanks for the bug report. Going forward please use https:/
-thanks,
Antonio