Bug #1724691 “contail-api couldn't list domains using project ...” : Bugs : Juniper Openstack

Ignatious Johnson Christopher (ijohnson-x) on 2017-10-20

description:

updated

Revision history for this message

Ignatious Johnson Christopher (ijohnson-x) wrote on 2017-10-20:

#1

Project scoped auth don't have access to list-projects and list-domains.
Api-server do list-domains during initialization.

So when project scoped auth parameters are used in contrail-keystone-auth.conf api-server is in initializing state.

Solutions:

1. Use domain scope auth parameters in contrail-keystone-auth.conf instead of project scope.

contrail-keystone-auth.conf
-----------------------------
[KEYSTONE]
auth_url=https://keystoneIp:35357/v3
auth_host=<keystoneIp>
auth_protocol=https
auth_port=35357
admin_user=admin
admin_password=c0ntrail123
admin_tenant_name=admin
memcache_servers=127.0.0.1:11211
insecure=False
certfile=/etc/contrail/ssl/certs/keystone.pem
keyfile=/etc/contrail/ssl/certs/keystone.pem
cafile=/etc/contrail/ssl/certs/keystone_ca.pem
auth_type = password
user_domain_name = Default
domain_name = Default <<<<<<<<< Domain scope auth

2. Use project scoped auth parameters in contrail-keystone-auth.conf, also set admin_project_name and admin_project_domain_name in [resource] section of keystone.conf

contrail-keystone-auth.conf
-----------------------------
[KEYSTONE]
auth_url=https://keystoneIp:35357/v3
auth_host=<keystoneIp>
auth_protocol=https
auth_port=35357
admin_user=admin
admin_password=c0ntrail123
admin_tenant_name=admin
memcache_servers=127.0.0.1:11211
insecure=False
certfile=/etc/contrail/ssl/certs/keystone.pem
keyfile=/etc/contrail/ssl/certs/keystone.pem
cafile=/etc/contrail/ssl/certs/keystone_ca.pem
auth_type = password
user_domain_name = Default
project_domain_name = Default <<<<< Project scope auth

keystone.conf
---------------
[resource]
admin_project_domain_name = Default <<<<<
#admin_project_name = admin <<<<<

description:	updated
tags:	added: releasenote

Revision history for this message

Ignatious Johnson Christopher (ijohnson-x) wrote on 2017-10-20:

#2

In contrial-fabric provisioned setups, solution #1 of using domain scope auth params in contrail-keystone-auth.conf will be used to fix this issue.

Changed in juniperopenstack:
milestone:	none → r3.2.8.0
importance:	Undecided → Medium
milestone:	r3.2.8.0 → r5.0.0

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-24: [Review update] master

#3

Review in progress for https://review.opencontrail.org/36750
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-24: [Review update] R4.1

#5

Review in progress for https://review.opencontrail.org/36751
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-24: [Review update] R4.0

#7

Review in progress for https://review.opencontrail.org/36752
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-24: [Review update] R3.2

#9

Review in progress for https://review.opencontrail.org/36753
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] master

#11

Review in progress for https://review.opencontrail.org/36807
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.1

#12

Review in progress for https://review.opencontrail.org/36808
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] master

#13

Review in progress for https://review.opencontrail.org/36809
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.1

#15

Review in progress for https://review.opencontrail.org/36810
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.0

#17

Review in progress for https://review.opencontrail.org/36811
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25:

#18

Review in progress for https://review.opencontrail.org/36812
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] master

#20

Review in progress for https://review.opencontrail.org/36809
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.1

#22

Review in progress for https://review.opencontrail.org/36810
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.0

#24

Review in progress for https://review.opencontrail.org/36812
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] master

#26

Review in progress for https://review.opencontrail.org/36807
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.1

#27

Review in progress for https://review.opencontrail.org/36810
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.0

#29

Review in progress for https://review.opencontrail.org/36812
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.1

#31

Review in progress for https://review.opencontrail.org/36808
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: [Review update] R4.0

#32

Review in progress for https://review.opencontrail.org/36811
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-25: A change has been merged

#33

Reviewed: https://review.opencontrail.org/36753
Committed: http://github.com/Juniper/contrail-provisioning/commit/e28fd94d10284b0c11846daef6a69fbd6f00e8c3
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit e28fd94d10284b0c11846daef6a69fbd6f00e8c3
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Oct 23 22:05:26 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using project scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I68efee8d47787376457f723a6fb1bd38ca93695a
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-29:

#35

Reviewed: https://review.opencontrail.org/36809
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/657528bef6b4a78ecc1868b5b3c9ce5d9b6a06a2
Submitter: Zuul (<email address hidden>)
Branch: master

commit 657528bef6b4a78ecc1868b5b3c9ce5d9b6a06a2
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:15:29 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using domian scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I29ebdbdf60ae174e2587d0108b3cd605c9f220ae
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#36

Reviewed: https://review.opencontrail.org/36810
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/f1fbc6833ab06e74396d16248e36082761cf0d6a
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit f1fbc6833ab06e74396d16248e36082761cf0d6a
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:15:29 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using domian scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I29ebdbdf60ae174e2587d0108b3cd605c9f220ae
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#37

Reviewed: https://review.opencontrail.org/36751
Committed: http://github.com/Juniper/contrail-provisioning/commit/9f245d656e9bd88e520bfafc2eb8f04849662f2d
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 9f245d656e9bd88e520bfafc2eb8f04849662f2d
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Oct 23 22:05:26 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using project scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I68efee8d47787376457f723a6fb1bd38ca93695a
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#38

Reviewed: https://review.opencontrail.org/36812
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/a32e1737de949093bf5fa1ec777e9b0a2e144dd6
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit a32e1737de949093bf5fa1ec777e9b0a2e144dd6
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:15:29 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using domian scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I29ebdbdf60ae174e2587d0108b3cd605c9f220ae
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#39

Reviewed: https://review.opencontrail.org/36808
Committed: http://github.com/Juniper/contrail-docker/commit/e3e3483af9db5f8ee0cc58915f687d74aff57c49
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit e3e3483af9db5f8ee0cc58915f687d74aff57c49
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:04:34 2017 -0700

Allow configuring domin_id in the contrailctl

config files.

Change-Id: I85e3c5f758ba65b5f0f6626654a517249bdfd64e
Partial-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#40

Reviewed: https://review.opencontrail.org/36750
Committed: http://github.com/Juniper/contrail-provisioning/commit/bfa8e2d8f489d163f9bcbf1125bb5c24e004082e
Submitter: Zuul (<email address hidden>)
Branch: master

commit bfa8e2d8f489d163f9bcbf1125bb5c24e004082e
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Oct 23 22:05:26 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using project scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I68efee8d47787376457f723a6fb1bd38ca93695a
Closes-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#41

Reviewed: https://review.opencontrail.org/36807
Committed: http://github.com/Juniper/contrail-docker/commit/2506f60ee25a59843d7045d99ec39a298f0efacd
Submitter: Zuul (<email address hidden>)
Branch: master

commit 2506f60ee25a59843d7045d99ec39a298f0efacd
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:04:34 2017 -0700

Allow configuring domin_id in the contrailctl

config files.

Change-Id: I85e3c5f758ba65b5f0f6626654a517249bdfd64e
Partial-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-30:

#42

Reviewed: https://review.opencontrail.org/36811
Committed: http://github.com/Juniper/contrail-docker/commit/be8179348209b56759ea8f19e8af301f279661a6
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit be8179348209b56759ea8f19e8af301f279661a6
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Oct 24 23:04:34 2017 -0700

Allow configuring domin_id in the contrailctl

config files.

Change-Id: I85e3c5f758ba65b5f0f6626654a517249bdfd64e
Partial-Bug: 1724691

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-31:

#43

Reviewed: https://review.opencontrail.org/36752
Committed: http://github.com/Juniper/contrail-provisioning/commit/48bceb0e7f9a1255931b3a83cb775ee580e75140
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 48bceb0e7f9a1255931b3a83cb775ee580e75140
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Oct 23 22:05:26 2017 -0700

Project scoped auth don't have access to

list-projects and list-domains.api-server
do list-domains during initialization.

So using project scoped auth parameters
in contrail-keystone-auth.conf

Change-Id: I68efee8d47787376457f723a6fb1bd38ca93695a
Closes-Bug: 1724691

Nagendra Prasath (npchandran) on 2019-05-21

information type:

Proprietary → Public

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.2	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r3.2.8.0
R4.0	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r4.0.3.0
R4.1	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r5.0.0

Juniper Openstack

contail-api couldn't list domains using project scope auth

Bug Description

Other bug subscribers

Remote bug watches