Keystone v3 provisioning does not bring up all necessary services and conf/policy files properly. Here are the errors and discrepancies I see.
You can bring up any ocata setup with below config in cluster json to reproduce the issue.
"parameters": {
"provision": {
"openstack": {
"keystone": {
"version": "v3"
************************************
************************************
Authentication Failure
************************************
************************************
root@nodei19:~# grep -rn "Authorization failed" /var/lib/docker/volumes/kolla_logs/_data/keystone/keystone.log
460:2017-09-06 15:37:49.509 24 WARNING keystone.common.wsgi [req-4d2afbb4-2bce-4d95-a394-bd94ded2dfbc - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
472:2017-09-06 15:37:58.752 25 WARNING keystone.common.wsgi [req-5176c15a-543d-4beb-a624-cbf55fda0de2 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
495:2017-09-06 15:38:08.276 24 WARNING keystone.common.wsgi [req-550a52e0-130f-41f4-8f95-95b50a5f4704 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
10896:2017-09-06 18:35:07.188 23 WARNING keystone.common.wsgi [req-b560472e-87a9-4655-b059-916ab7454307 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.11
10948:2017-09-06 18:37:10.149 25 WARNING keystone.common.wsgi [req-3c030d00-fa11-420e-88cb-713b398a5627 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.11
11287:2017-09-06 18:40:32.038 18 WARNING keystone.common.wsgi [req-623e3f7b-e187-4be2-8a3e-e29349ec90ac df318ee8467e497a970ac8989eacf378 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
12353:2017-09-06 18:47:31.701 27 WARNING keystone.common.wsgi [req-38bfae01-a6fc-4552-bf62-b5ffbdd218f5 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
13034:2017-09-06 18:58:10.537 22 WARNING keystone.common.wsgi [req-da681b9b-0510-4fdc-b41b-82c5ffeea906 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
13332:2017-09-06 19:00:27.640 20 WARNING keystone.common.wsgi [req-ae56b0fb-7a85-4ae8-aa84-b837e437b7f6 df318ee8467e497a970ac8989eacf378 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
15209:2017-09-06 19:32:16.574 20 WARNING keystone.common.wsgi [req-474260eb-d77c-4496-9b1b-ea4d9d1d766c df318ee8467e497a970ac8989eacf378 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
16624:2017-09-06 19:52:40.214 22 WARNING keystone.common.wsgi [req-cbf21453-6b9b-4977-87f1-99dfcfbabda0 df318ee8467e497a970ac8989eacf378 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
19364:2017-09-06 20:24:10.624 22 WARNING keystone.common.wsgi [req-6e580f13-0c44-498c-8fa6-ffe4d0b5e676 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
20417:2017-09-06 20:38:54.021 22 WARNING keystone.common.wsgi [req-fbb4883b-4644-46c2-b0e9-0fd09429ed66 df318ee8467e497a970ac8989eacf378 - - default -] Authorization failed. The request you have made requires authentication. from 192.168.100.15
21248:2017-09-06 20:50:50.379 23 WARNING keystone.common.wsgi [req-f51d288b-2257-4525-b290-ebcd5de33a77 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.11
root@nodei19:~#
***************************************************
***************************************************
Missing Configuration and provisioning issues
***************************************************
***************************************************
1. Horizon doesn't come up with the option of domain and keystone v3 domain context enabled.
2. No v3 policy file or cloud_admin in keystone policy file /etc/keystone/policy.json
(keystone)[root@nodei19 /]# grep -rn cloud /etc/keystone/policy.json
(keystone)[root@nodei19 /]#
3. config.identityManager.apiVersion = ['v2.0']; in webui /etc/contrail/config.global.js not configured to v3
root@nodec28(controller):/# grep -rn "identityManager.apiVersion =" /etc/contrail/config.global.js
156:config.identityManager.apiVersion = ['v2.0'];
root@nodec28(controller):/#
4. /etc/openstack-dashboard/local_settings does not have multi domain and v3 parameters set
(horizon)[root@nodei19 /]# grep -rn OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT /etc/openstack-dashboard/local_settings
72:#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
(horizon)[root@nodei19 /]# grep -rn OPENSTACK_KEYSTONE_URL /etc/openstack-dashboard/local_settings
170:OPENSTACK_KEYSTONE_URL = "http://192.168.100.20:5000"
(horizon)[root@nodei19 /]#
5. None of the services are configured to authenticate with keystone in v3
(nova-api)[nova@nodei19 /]$ cat /etc/nova/nova.conf | grep keystone -A13
[keystone_authtoken]
auth_uri = http://192.168.100.20:5000
auth_url = http://192.168.100.20:35357
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password = contrail123
memcache_security_strategy = ENCRYPT
memcache_secret_key = contrail123
memcached_servers = 192.168.100.15:11211
(nova-api)[nova@nodei19 /]$
6. keystone endpoints are configured in v3
root@nodei19:~# openstack endpoint list | grep keystone
| 46de2f2005cb4b319f57d51b487fd97d | RegionOne | keystone | identity | True | admin | http://192.168.100.20:35357 |
| 794616380a674acf94aea2facb0853d4 | RegionOne | keystone | identity | True | internal | http://192.168.100.20:5000 |
| 7a9415c0fa4d413ba32bb8ccdf1c6865 | RegionOne | keystone | identity | True | public | http://10.204.217.184:5000 |
root@nodei19:~#
root@nodei19:~# openstack domain create --description "New Domain" NewDomain
2017-09-06 20:22:23.584 23 INFO keystone.common.wsgi [req-044c65c2-55be-4f8f-b4c5-27172882cc06 - - - - -] GET http://192.168.100.20:35357/v3/
2017-09-06 20:22:23.592 27 INFO keystone.common.wsgi [req-d44c6ce6-0ba4-4f6e-92dd-84e037ac5768 - - - - -] POST http://192.168.100.20:35357/v3/auth/tokens
2017-09-06 20:22:23.719 24 INFO keystone.common.wsgi [req-eae6823f-8abf-4572-b56e-a0cb7e49d7ed - - - - -] POST http://192.168.100.20:35357/v3/auth/tokens
2017-09-06 20:22:23.838 22 INFO keystone.common.wsgi [req-82c78b6a-3ebe-4d55-a424-47811c43bc2b df318ee8467e497a970ac8989eacf378 - - default -] GET http://192.168.100.20:5000/
2017-09-06 20:22:23.878 21 INFO keystone.common.wsgi [req-0e0752f7-275e-47a4-acb3-e18b69c78590 df318ee8467e497a970ac8989eacf378 7bb15144662e4958be579e6b539af017 - default default] POST http://192.168.100.20:5000/v3/domains
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | New Domain |
| enabled | True |
| id | 87ffa7a8de60437e83adb0058a8831ef |
| name | NewDomain |
+-------------+----------------------------------+
root@nodei19:~#
Review in progress for https:/ /review. opencontrail. org/35416
Submitter: Ramprakash R (<email address hidden>)