tripleo

IPA integrations fails when more then one undercloud is integrated with IPA.

Bug #1943810 reported by David Sedgmen on 2021-09-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Triaged	Medium	David Sedgmen	tripleo xena-rc1

Bug Description

IPA integrations fails when more then one undercloud is integrated with IPA.
When trying to scale new nodes on the first director installed you will get the error.

"response host_add: Insufficient access: Insufficient 'add' privilege to the 'userPassword' attribute"

This because the ansible role `ipa_role` explicit sets privileges to the list of services provides instead of appending.

~~~
https://docs.ansible.com/ansible/latest/collections/community/general/ipa_role_module.html

service
list / elements=string

List of service names to assign.
If an empty list is passed all assigned services will be removed from the role.
If option is omitted services will not be checked or changed.
If option is passed all assigned services that are not passed will be removed from the role.
~~~
https://opendev.org/x/tripleo-ipa/src/branch/master/tripleo_ipa/roles/tripleo_ipa_setup/tasks/add_ipa_user.yml#L22-L39

Replicated tripleo_ipa_setup registering an additional service with a simple playbook.

# Checking the services assigned to role Nova Host Manager
~~~
(undercloud) [stack@osp16d ~]$ cat test.yml
- hosts: localhost

tasks:

  - ipa_role:
      name: Nova Host Manager
      ipa_pass: **************
      ipa_host: freeipa-0.redhat.local
    register: role_members
  - debug:
      var: role_members

(undercloud) [stack@osp16d ~]$ ansible-playbook test.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [ipa_role] ******************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 18:53:53 +1000 (0:00:00.042) 0:00:00.042 ****
[WARNING]: Failure using method (v2_runner_on_start) in callback plugin (<ansible.plugins.callback.tripleo.CallbackModule object at 0x7fea433cf438>): 'show_per_host_start'
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 18:53:54 +1000 (0:00:00.972) 0:00:01.015 ****
ok: [localhost] => {
    "role_members": {
        "changed": false,
        "failed": false,
        "role": {
            "cn": [
                "Nova Host Manager"
            ],
            "dn": "cn=Nova Host Manager,cn=roles,cn=accounts,dc=redhat,dc=local",
            "member_service": [
                "<email address hidden>"
            ],
            "memberof_privilege": [
                "Nova Host Management"
            ],
            "objectclass": [
                "groupofnames",
                "nestedgroup",
                "top"
            ]
        }
    }
}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Thursday 16 September 2021 18:53:54 +1000 (0:00:00.057) 0:00:01.073 ****
===============================================================================
ipa_role ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 0.97s
debug --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.06
~~~
# Used ipa_role to assign another service to the role Nova Host Manager
~~~
(undercloud) [stack@osp16d ~]$ cat test2.yaml
- hosts: localhost

tasks:

  - ipa_role:
      name: Nova Host Manager
      ipa_pass: **************
      ipa_host: freeipa-0.redhat.local
      privilege:
        - Nova Host Management
      service:
        - nova2/undercloud-0.redhat.local
    register: role_members
  - debug:
      var: role_members

(undercloud) [stack@osp16d ~]$ ansible-playbook test2.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

TASK [ipa_role] ******************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 18:59:37 +1000 (0:00:00.043) 0:00:00.043 ****
[WARNING]: Failure using method (v2_runner_on_start) in callback plugin (<ansible.plugins.callback.tripleo.CallbackModule object at 0x7f47d13cdf98>): 'show_per_host_start'
changed: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 18:59:39 +1000 (0:00:02.210) 0:00:02.253 ****
ok: [localhost] => {
    "role_members": {
        "changed": true,
        "failed": false,
        "role": {
            "cn": [
                "Nova Host Manager"
            ],
            "dn": "cn=Nova Host Manager,cn=roles,cn=accounts,dc=redhat,dc=local",
            "member_service": [
                "<email address hidden>"
            ],
            "memberof_privilege": [
                "Nova Host Management"
            ],
            "objectclass": [
                "groupofnames",
                "nestedgroup",
                "top"
            ]
        }
    }
}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Thursday 16 September 2021 18:59:39 +1000 (0:00:00.057) 0:00:02.311 ****
===============================================================================
ipa_role ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 2.21s
debug --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.06s
(undercloud) [stack@osp16d ~]$
~~~
# First service was removed from role and second was added
~~~
(undercloud) [stack@osp16d ~]$ ansible-playbook test.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

TASK [ipa_role] ******************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 19:05:30 +1000 (0:00:00.041) 0:00:00.041 ****
[WARNING]: Failure using method (v2_runner_on_start) in callback plugin (<ansible.plugins.callback.tripleo.CallbackModule object at 0x7f304b4c7f60>): 'show_per_host_start'
ok: [localhost]

TASK [debug] *********************************************************************************************************************************************************************************************************************************
Thursday 16 September 2021 19:05:31 +1000 (0:00:00.868) 0:00:00.909 ****
ok: [localhost] => {
    "role_members": {
        "changed": false,
        "failed": false,
        "role": {
            "cn": [
                "Nova Host Manager"
            ],
            "dn": "cn=Nova Host Manager,cn=roles,cn=accounts,dc=redhat,dc=local",
            "member_service": [
                "<email address hidden>"
            ],
            "memberof_privilege": [
                "Nova Host Management"
            ],
            "objectclass": [
                "groupofnames",
                "nestedgroup",
                "top"
            ]
        }
    }
}

Thursday 16 September 2021 19:05:31 +1000 (0:00:00.058) 0:00:00.967 ****
===============================================================================
ipa_role ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ 0.87s
debug --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.06s
(undercloud) [stack@osp16d ~]$
~~~

Tags:

Brendan Shephard (bshephar) on 2021-09-16

Changed in tripleo:
assignee:	nobody → David Sedgmen (dsedgmen)
importance:	Undecided → Medium
milestone:	none → xena-rc1
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.