designate dns driver does not use domain settings for auth

Bug #1853632 reported by Manuel Torrinha
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Expired
Medium
Unassigned

Bug Description

The designate external dns driver does not use domain settings for authentication **if** there is more than one openstack domain.

If you have only the 'Default' domain the authentication system seems to have
no doubt on which domain to use so it will use that.

In our deployment we support federated authentication and we have this issue.

The issue lies in the external dns driver as it also does not support all of the documented options. You can test this by setting invalid one of (or all)
in the [designate] section of /etc/neutron/neutron.conf:

  user_domain_name
  project_domain_name
  project_name

it should yield the same results (it should all work).

@oammis initially found this issue, so credit where it's due.

We have a Queens deployment, although by what we can see from the code it should be transverse to all releases.

I'll post a fix soon.

description: updated
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695726

Changed in neutron:
assignee: nobody → Manuel Torrinha (t0rrant)
status: New → In Progress
Miguel Lavalle (minsel)
Changed in neutron:
importance: Undecided → Medium
Revision history for this message
Miguel Lavalle (minsel) wrote :

Thanks for your bug report. Have you read this section of the documentation: https://docs.openstack.org/neutron/latest/admin/config-dns-int-ext-serv.html#configuring-openstack-networking-for-integration-with-an-external-dns-service. Please note that the three options you propose to add are listed as supported in the documentation through the auth plugin. Why add them the way you propose in https://review.opendev.org/#/c/695726?

Changed in neutron:
status: In Progress → Incomplete
Revision history for this message
Manuel Torrinha (t0rrant) wrote :

Well from what I can see from the driver code, it does not seem to use them and so we are getting the following error:

```
ERROR neutron_lib.callbacks.manager [req-e72511d0-fd11-4a44-bea7-7e853844bc7a 97e63eae00884e66ac73288cea5541a5 6f89f025fa8848539cc3750c310d5b0d - Federated 8e94b1cab6914962bd4ba6bdbcfbf336] Error during notification for neutron.plugins.ml2.extensions.dns_integration._update_port_in_external_dns_service-8738957288151 port, after_update: BadRequest: Expecting to find domain in user. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. (HTTP 400) (Request-ID: req-8eac9e66-5856-40ca-9c54-c3adbed84619)
```

We worked around this error locally for some time by hardcoding those attributes in the driver code installed. Now it seemed fit to propose being able to have those attributes in the neutron config file in the [designate] section, as this is still present in the master branch.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/696934

Revision history for this message
Manuel Torrinha (t0rrant) wrote :
Download full text (10.2 KiB)

I experimented with locally reverting the patch I submitted in https://review.opendev.org/#/c/696934/2 to get the traceback to post here:

```
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/pecan/core.py", line 678, in __call__
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation self.invoke_controller(controller, args, kwargs, state)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/pecan/core.py", line 569, in invoke_controller
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation result = controller(*args, **kwargs)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/neutron/db/api.py", line 91, in wrapped
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation setattr(e, '_RETRY_EXCEEDED', True)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation self.force_reraise()
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation six.reraise(self.type_, self.value, self.tb)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/neutron/db/api.py", line 87, in wrapped
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation return f(*args, **kwargs)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_db/api.py", line 147, in wrapper
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation ectxt.value = e.inner_exc
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation self.force_reraise()
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation six.reraise(self.type_, self.value, self.tb)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/oslo_db/api.py", line 135, in wrapper
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation return f(*args, **kwargs)
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python2.7/site-packages/neutron/db/api.py", line 126, in wrapped
2019-12-03 15:32:53.068 25477 ERROR neutron.pecan_wsgi.hooks.translation LOG.debug("Retry wrapper got ...

Revision history for this message
Dmitry Galkin (galkindmitrii) wrote :

Hi,

We have a Neutron on Queens and Designate on Rocky and the following settings in neutron.conf work fine:

     [designate]
     url = http://designate-api.xxxx:9001/v2
     auth_url = http://keystone.xxxx:5000/v3
     auth_plugin = v3password
     auth_type = v3password
     region_name = secretregion
     user_domain_name = Default
     project_name = master
     project_domain_name = ccadmin
     username = designate
     password = secretpassword
     insecure = True
     allow_reverse_dns_lookup = true
     ipv4_ptr_zone_prefix_size = 24

PTRs are created as expected in the project & domain specified above ^
Designate service user is in the Default domain.

Revision history for this message
Manuel Torrinha (t0rrant) wrote :

@galkindmitrii

I see that you are using `user_domain_name = Default` so I guess you only have one user domain. This issue happens **if** we have more than one.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Changed in neutron:
assignee: Manuel Torrinha (t0rrant) → nobody
tags: added: timeout-abandon
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/queens)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: stable/queens
Review: https://review.opendev.org/696934
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Slawek Kaplonski (slaweq) wrote : auto-abandon-script

This bug has had a related patch abandoned and has been automatically un-assigned due to inactivity. Please re-assign yourself if you are continuing work or adjust the state as appropriate if it is no longer valid.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Slawek Kaplonski (<email address hidden>) on branch: master
Review: https://review.opendev.org/695726
Reason: This review is > 4 weeks without comment, and failed Zuul jobs the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.