autoload-credentials not importing domain properly

Bug #1772649 reported by Jeff Hillman
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
High
Unassigned

Bug Description

juju 2.3.7 (via snap)

When attempting to add an Openstack Cloud (in this case Pike), running juju autoload-credentials after adding the cloud causes an incomplete set of credentials.

The cloud cust-dev was added using juju add-cloud and going through the "wizard", it generated the following ~/.local/share/juju/clouds.yaml

clouds:
  cust-dev:
    type: openstack
    auth-types: [userpass]
    endpoint: https://Ostk-keystone.hq.cust.com:5000/v3
    regions:
      cust-region:
        endpoint: https://Ostk-keystone.hq.cust.com:5000/v3

Running juju autoload-credentials generates the following ~/.local/share/juju/credentials.yaml

credentials:
  cust-dev:
    default-region: cust-region
    my-user:
      auth-type: userpass
      domain-name: ""
      password: my-pass
      project-domain-name: ""
      tenant-name: Cust-Dev
      user-domain-name: custhq
      username: my-user

This is an incomplete file. When attempting to juju bootstrap, the following error occurrs:

DEBUG juju.provider.openstack provider.go:804 authentication failed: authentication failed
caused by: requesting token: Unauthorised URL https://Ostk-keystone.hq.cust.com:5000/v3/auth/tokens
caused by: request (https://Ostk-keystone.hq.cust.com:5000/v3/auth/tokens) returned unexpected status: 401; error info: Failed: 401 error: The request you have made requires authentication.
ERROR authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.
12:28:18 DEBUG cmd supercommand.go:459 error stack:
github.com/juju/juju/provider/openstack/provider.go:805: authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.
github.com/juju/juju/environs/bootstrap/prepare.go:163:
github.com/juju/juju/environs/bootstrap/prepare.go:99:
github.com/juju/juju/cmd/juju/commands/bootstrap.go:480:

Going in and editing ~/.local/share/juju/credentials.yaml and adding "custhq" to the project-domain-name line resolves this issue. In the end the correct credentials file looks like:

credentials:
  cust-dev:
    default-region: cust-region
    my-user:
      auth-type: userpass
      domain-name: ""
      password: my-pass
      project-domain-name: "custhq"
      tenant-name: Cust-Dev
      user-domain-name: custhq
      username: my-user

This is also repeatable from the admin_domain.

Jeff Hillman (jhillman)
description: updated
Revision history for this message
Nobuto Murata (nobuto) wrote :

@Jeff, does your credential file (novarc or openrc) have actual OS_PROJECT_DOMAIN_NAME? Or does it have OS_PROJECT_ID instead?

I saw a bug in the past that juju does not carry OS_PROJECT_ID properly:
https://bugs.launchpad.net/juju/+bug/1722551
(the library added OS_PROJECT_ID into the whitelist, but not sure the fix was carried to Juju).

Revision history for this message
Jeff Hillman (jhillman) wrote :

@Nobuto

It does not have OS_PROJECT_DOMAIN_NAME, it has OS_PROJECT_ID.

Here's a snippit of the relevant piece of the novarc file.

export OS_USER_DOMAIN_NAME="custhq"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="xxxxxxxx40ba41f6832428e105568f4c"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi

Revision history for this message
Anastasia (anastasia-macmood) wrote :

I think that this is the case where we have not provided a support for Keystone v3 in auto-loading of credentials. W should definitely do that \o/

Changed in juju:
status: New → Triaged
importance: Undecided → High
Changed in juju:
milestone: none → 2.5-beta1
Changed in juju:
milestone: 2.5-beta1 → 2.5-beta2
Changed in juju:
milestone: 2.5-beta2 → 2.5.1
Ian Booth (wallyworld)
Changed in juju:
milestone: 2.5.1 → 2.5.2
Changed in juju:
milestone: 2.5.2 → 2.5.3
Changed in juju:
milestone: 2.5.3 → 2.5.4
Changed in juju:
milestone: 2.5.4 → 2.5.5
Changed in juju:
milestone: 2.5.6 → 2.7-beta1
tags: added: autoload-credentials
Revision history for this message
Anastasia (anastasia-macmood) wrote :

In juju this needs to be resolved in the openstack provider DetectCredentials.

Changed in juju:
milestone: 2.7-beta1 → 2.7-rc1
Changed in juju:
milestone: 2.7-rc1 → none
Tim Penhey (thumper)
tags: added: openstack-provider
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :

Observed the same problem when the user is not an admin in openstack.

The openrc file downloaded from openstack hoirzon has OS_PROJECT_DOMAIN_ID but juju openstack provider looks for OS_PROJECT_DOMAIN_NAME and ignores OS_PROJECT_DOMAIN_ID [1].

[1] https://github.com/juju/juju/blob/develop/provider/openstack/credentials.go#L181-L189

tags: added: seg
Changed in juju:
assignee: nobody → Hemanth Nakkina (hemanth-n)
Revision history for this message
Hemanth Nakkina (hemanth-n) wrote :
Changed in juju:
status: Triaged → In Progress
Changed in juju:
status: In Progress → Triaged
assignee: Hemanth Nakkina (hemanth-n) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.