Juju Charms Collection
keystone package

keystone config-changed hook error after adding 'domain_specific_drivers_enabled = True' to keystone.conf template

Bug #1642979 reported by Matt Rae
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
keystone (Juju Charms Collection)
In Progress
High
Felipe Reyes
Juju Charms Collection 17.01

Bug Description

When using domains which authenticate to ldap, we need to set domain_specific_drivers_enabled = True to allow configuring the ldap settings per domain. Right now when adding the option to the keystone.conf template there will be a hook error on the leader unit when the unit when deployed. the config-changed hooks fails on authenticating to keystone with http 401. Logs to be added.

To reproduce add the domain_specific_drivers_enabled option to the keystone.conf template and deploy keystone with charm config preferred-api-version=3. keystone will have a hook error on config-changed

[identity]
domain_specific_drivers_enabled = True

Tags: bootstack sts v3
Revision history for this message
Kevin Metz (pertinent) wrote :

The error repeated in the logs

(keystone.common.wsgi): 2016-11-18 15:44:17,108 WARNING Authorization failed. The request you have made requires authentication. from 127.0.0.1

Felipe Reyes (freyes)
Changed in keystone (Juju Charms Collection):
assignee: nobody → Felipe Reyes (freyes)
Revision history for this message
Felipe Reyes (freyes) wrote :

A simplified version of the code that fails is http://pastebin.ubuntu.com/23558426/

According to the bug 1493126, comment #7, it's expected a failure when trying to get the list of users using the admin token, so we should be using the admin credentials instead to talk to keystone.

Felipe Reyes (freyes)
Changed in keystone (Juju Charms Collection):
status: New → In Progress
Edward Hope-Morley (hopem)
Changed in keystone (Juju Charms Collection):
milestone: none → 17.01
importance: Undecided → High
tags: added: v3
tags: added: bootstack
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/410509

Felipe Reyes (freyes)
tags: added: sts
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on charm-keystone (master)

Change abandoned by Edward Hope-Morley (<email address hidden>) on branch: master
Review: https://review.openstack.org/410509
Reason: The original objective of this patchset was to fix the api auth bug hit when enabling domain_specific_drivers_enabled in the charm. It subsequently has become a bit of a catchall to resolve other issues like being able to test credentials and minimise the usage of the admin token. Doing all of this at once is overcomplicating this patchset so am going abandon it in favour of the following:

  * use https://review.openstack.org/#/c/424059/ as the fix for the original issue (i have tested and it works)

  * create a new patchset for credential testing and admin password reset capability

  * open a new bug to investigate switching to a non-admin-token world

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.