Main config keystone-authtoken section is incompatible with keystone v3 on mitaka

Bug #1571347 reported by Liam Young
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Charm Helpers
Fix Released
High
Liam Young
cinder (Juju Charms Collection)
Fix Released
High
Liam Young
glance (Juju Charms Collection)
Fix Released
High
Liam Young
heat (Juju Charms Collection)
Fix Released
High
Liam Young
neutron-api (Juju Charms Collection)
Fix Released
High
Liam Young
neutron-gateway (Juju Charms Collection)
Fix Released
High
Liam Young
nova-cloud-controller (Juju Charms Collection)
Fix Released
High
Liam Young
nova-compute (Juju Charms Collection)
Fix Released
High
Liam Young

Bug Description

The keystone_auth section has changed for Mitaka. The Liberty format which is currently being used is incompatible with keystone v3 on mitaka as it assumes the id of the default domain is default where as in Mitaka it is a random uuid.

This change is reflected in the setup documentation:

Mitaka:

[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
memcached_servers = controller:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = NOVA_PASS

http://docs.openstack.org/mitaka/install-guide-ubuntu/nova-controller-install.html

Liberty:

[keystone_authtoken]
...
auth_uri = http://controller:5000
auth_url = http://controller:35357
auth_plugin = password
project_domain_id = default
user_domain_id = default
project_name = service
username = nova
password = NOVA_PASS

http://docs.openstack.org/liberty/install-guide-ubuntu/nova-controller-install.html

Related branches

Liam Young (gnuoy)
Changed in neutron-api (Juju Charms Collection):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Liam Young (gnuoy)
milestone: none → 16.04
Changed in cinder (Juju Charms Collection):
status: New → In Progress
Changed in glance (Juju Charms Collection):
status: New → In Progress
Changed in heat (Juju Charms Collection):
status: New → In Progress
Changed in nova-cloud-controller (Juju Charms Collection):
status: New → In Progress
Changed in nova-compute (Juju Charms Collection):
status: New → In Progress
Changed in cinder (Juju Charms Collection):
importance: Undecided → High
Changed in glance (Juju Charms Collection):
importance: Undecided → High
Changed in heat (Juju Charms Collection):
importance: Undecided → High
Changed in nova-cloud-controller (Juju Charms Collection):
importance: Undecided → High
Changed in nova-compute (Juju Charms Collection):
importance: Undecided → High
Changed in cinder (Juju Charms Collection):
assignee: nobody → Liam Young (gnuoy)
Changed in glance (Juju Charms Collection):
assignee: nobody → Liam Young (gnuoy)
Changed in heat (Juju Charms Collection):
assignee: nobody → Liam Young (gnuoy)
Changed in nova-cloud-controller (Juju Charms Collection):
assignee: nobody → Liam Young (gnuoy)
Changed in nova-compute (Juju Charms Collection):
assignee: nobody → Liam Young (gnuoy)
Changed in cinder (Juju Charms Collection):
milestone: none → 16.04
Changed in glance (Juju Charms Collection):
milestone: none → 16.04
Changed in heat (Juju Charms Collection):
milestone: none → 16.04
Changed in nova-cloud-controller (Juju Charms Collection):
milestone: none → 16.04
Changed in nova-compute (Juju Charms Collection):
milestone: none → 16.04
Changed in charm-helpers:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Liam Young (gnuoy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306849

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306850

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-neutron-api (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306851

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-cloud-controller (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306852

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-compute (master)

Fix proposed to branch: master
Review: https://review.openstack.org/306853

Liam Young (gnuoy)
Changed in quantum-gateway (Juju Charms Collection):
status: New → In Progress
no longer affects: quantum-gateway (Juju Charms Collection)
Changed in neutron-gateway (Juju Charms Collection):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Liam Young (gnuoy)
milestone: none → 16.04
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-cinder (master)

Reviewed: https://review.openstack.org/306849
Committed: https://git.openstack.org/cgit/openstack/charm-cinder/commit/?id=e2d8622b416249913da3ca04af79e706b2b43caa
Submitter: Jenkins
Branch: master

commit e2d8622b416249913da3ca04af79e706b2b43caa
Author: Liam Young <email address hidden>
Date: Sun Apr 17 16:53:20 2016 +0000

    Update keystone_auth section for Mitaka

    The keystone_auth section has changed for Mitaka. The Liberty format
    ,which is currently being used, is incompatible with keystone v3 on
    Mitaka as it assumes the id of the default domain is default where
    as in Mitaka it is a uuid.

    The install documentation for Mitaka dictates that domain name should
    be used rather than id when setting project_domain and user_domain

    Change-Id: Ic8621020db16eaa4ac398e48406d8a858f974ae4
    Partial-Bug: 1571347

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-glance (master)

Reviewed: https://review.openstack.org/306850
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=4b9d9ad781a1f7369a100f4db8165f1a892e0c01
Submitter: Jenkins
Branch: master

commit 4b9d9ad781a1f7369a100f4db8165f1a892e0c01
Author: Liam Young <email address hidden>
Date: Sun Apr 17 16:58:23 2016 +0000

    Update keystone_auth section for Mitaka

    The keystone_auth section has changed for Mitaka. The Liberty format
    ,which is currently being used, is incompatible with keystone v3 on
    Mitaka as it assumes the id of the default domain is default where
    as in Mitaka it is a uuid.

    The install documentation for Mitaka dictates that domain name should
    be used rather than id when setting project_domain and user_domain

    Change-Id: Ie4d20a7287b7baca104996999ac8d333976ab752
    Partial-Bug: 1571347

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-neutron-api (master)

Reviewed: https://review.openstack.org/306851
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-api/commit/?id=4dd7af797e063f9f82ea1240a801025ce5050805
Submitter: Jenkins
Branch: master

commit 4dd7af797e063f9f82ea1240a801025ce5050805
Author: Liam Young <email address hidden>
Date: Sun Apr 17 16:59:03 2016 +0000

    Update keystone_auth section for Mitaka

    The keystone_auth section has changed for Mitaka. The Liberty format
    ,which is currently being used, is incompatible with keystone v3 on
    Mitaka as it assumes the id of the default domain is default where
    as in Mitaka it is a uuid.

    The install documentation for Mitaka dictates that domain name should
    be used rather than id when setting project_domain and user_domain

    Change-Id: I0b01f9894e7c7ce414098b654ffd67f90db047a2
    Partial-Bug: 1571347

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-cloud-controller (master)

Reviewed: https://review.openstack.org/306852
Committed: https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=44a5cc737cc49641f74755bc362e57581cb50bc4
Submitter: Jenkins
Branch: master

commit 44a5cc737cc49641f74755bc362e57581cb50bc4
Author: Liam Young <email address hidden>
Date: Sun Apr 17 16:59:31 2016 +0000

    Update keystone_auth section for Mitaka

    The keystone_auth section has changed for Mitaka. The Liberty format
    ,which is currently being used, is incompatible with keystone v3 on
    Mitaka as it assumes the id of the default domain is default where
    as in Mitaka it is a uuid.

    The install documentation for Mitaka dictates that domain name should
    be used rather than id when setting project_domain and user_domain

    Change-Id: Id79a3dc10f3f08f837e6efdfb446380bb00a5891
    Partial-Bug: 1571347

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-compute (master)

Reviewed: https://review.openstack.org/306853
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute/commit/?id=6a9e93567d0915d00b95ab959a198e31cd603ecd
Submitter: Jenkins
Branch: master

commit 6a9e93567d0915d00b95ab959a198e31cd603ecd
Author: Liam Young <email address hidden>
Date: Sun Apr 17 17:00:03 2016 +0000

    Update keystone_auth section for Mitaka

    The keystone_auth section has changed for Mitaka. The Liberty format
    ,which is currently being used, is incompatible with keystone v3 on
    Mitaka as it assumes the id of the default domain is default where
    as in Mitaka it is a uuid.

    The install documentation for Mitaka dictates that domain name should
    be used rather than id when setting project_domain and user_domain

    Change-Id: I57b1af2485f61d14763c766e068e1cfdc2de071d
    Partial-Bug: 1571347

Liam Young (gnuoy)
Changed in charm-helpers:
status: In Progress → Fix Released
Changed in cinder (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in glance (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in neutron-api (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in neutron-gateway (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in nova-cloud-controller (Juju Charms Collection):
status: In Progress → Fix Committed
Changed in nova-compute (Juju Charms Collection):
status: In Progress → Fix Committed
James Page (james-page)
Changed in neutron-api (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in cinder (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in glance (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in nova-cloud-controller (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in nova-compute (Juju Charms Collection):
status: Fix Committed → Fix Released
Changed in neutron-gateway (Juju Charms Collection):
status: Fix Committed → Fix Released
James Page (james-page)
Changed in heat (Juju Charms Collection):
milestone: 16.04 → 16.07
tags: added: openstack
tags: added: canonical-boostack
tags: added: canonical-bootstack
removed: canonical-boostack
Revision history for this message
Liam Young (gnuoy) wrote :

It looks like two fixes are needed for heat.

1) Update keystone_authtoken in the heat.conf template to use the new format as has been done with the other charms attached to this bug report.

2) The service user created for heat (heat-cfn_heat) lacks permissions on the admin domain and the format of /root/admin-openrc-v3 is wrong. This means that the domain-setup action fails. I think the keystone charm could be updated to grant domain admin to the service users or the heat charm could grow a identity-admin relation. If the latter is implemented then the keystone charm will also need updating to support exposing v3 admin credentials down the identity-admin relation.

Revision history for this message
Liam Young (gnuoy) wrote :

As a workaround for issue 2 mentioned above the domain can be created manually:

openstack role add --domain admin_domain --user heat-cfn_heat Admin

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/330417

Revision history for this message
Liam Young (gnuoy) wrote :

I've created:

Bug #1593164 for the broken action
Bug #1593160 for keystone identity-admin v4 support

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-heat (master)

Reviewed: https://review.openstack.org/330417
Committed: https://git.openstack.org/cgit/openstack/charm-heat/commit/?id=d8c94406f411548ded22885104ab532c1970187f
Submitter: Jenkins
Branch: master

commit d8c94406f411548ded22885104ab532c1970187f
Author: Liam Young <email address hidden>
Date: Thu Jun 16 09:41:28 2016 +0000

    Update heat.conf template for mitaka compatability

    The format of keystone_authtoken section changed for Mitaka.
    This change creates a new template for mitaka and above.

    Update amulet tests to requests 2G of memory for heat instance
    as CI continually failed due to memory allocation issues.

    Change-Id: Ie2670f3b68fec29867d510a50a2c5dd4b31836ab
    Partial-Bug: 1571347

Liam Young (gnuoy)
Changed in heat (Juju Charms Collection):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.