Instance creation fails with keystone v3 and 'master' charms
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
High
|
Frode Nordahl | ||
OpenStack Nova Cloud Controller Charm |
Fix Released
|
High
|
Frode Nordahl | ||
keystone (Juju Charms Collection) |
Invalid
|
High
|
Frode Nordahl | ||
nova-cloud-controller (Juju Charms Collection) |
Invalid
|
High
|
Frode Nordahl |
Bug Description
Creating an instance using the master charms to deploy xenial/newton fails, the instance goes from PENDING to ERROR state after a wait of a few minutes.
The neutron-server logs report it got a 403 back from the nova-cloud-
Returning 403 to user: Policy doesn't allow os_compute_
"admin_api": "is_admin:True"
"os_compute_
But the service user does not have the admin on the service project in the service domain.
Granting this role allows the VM to be created (but with not network atm).
openstack domain list
+------
| ID | Name | Enabled | Description |
+------
| 539d91217e4e427
| 88f4d246106d4da
| 89c5830014214a0
| c2959b71ab0e4b4
| eda4a4cdef904b1
+------
openstack role add --user neutron --user-domain 89c5830014214a0
description: | updated |
description: | updated |
summary: |
- Instance creation fails with keystone v3 and 'master' charms + Instance creation fails with keystone v3 and 'master' charms for + openstack-release >= newton |
Changed in keystone (Juju Charms Collection): | |
assignee: | nobody → Frode Nordahl (fnordahl) |
Changed in nova-cloud-controller (Juju Charms Collection): | |
assignee: | nobody → Frode Nordahl (fnordahl) |
summary: |
- Instance creation fails with keystone v3 and 'master' charms for - openstack-release >= newton + Instance creation fails with keystone v3 and 'master' charms |
tags: | added: openstack sts |
Changed in keystone (Juju Charms Collection): | |
status: | New → Confirmed |
Changed in nova-cloud-controller (Juju Charms Collection): | |
status: | New → Confirmed |
Changed in keystone (Juju Charms Collection): | |
importance: | Undecided → High |
Changed in nova-cloud-controller (Juju Charms Collection): | |
importance: | Undecided → High |
Changed in keystone (Juju Charms Collection): | |
milestone: | none → 17.01 |
Changed in nova-cloud-controller (Juju Charms Collection): | |
milestone: | none → 17.01 |
Changed in charm-keystone: | |
assignee: | nobody → Frode Nordahl (fnordahl) |
importance: | Undecided → High |
status: | New → Fix Committed |
Changed in keystone (Juju Charms Collection): | |
status: | Fix Committed → Invalid |
Changed in charm-nova-cloud-controller: | |
assignee: | nobody → Frode Nordahl (fnordahl) |
importance: | Undecided → High |
status: | New → Fix Committed |
Changed in nova-cloud-controller (Juju Charms Collection): | |
status: | Fix Committed → Invalid |
Changed in charm-keystone: | |
milestone: | none → 17.02 |
Changed in charm-nova-cloud-controller: | |
milestone: | none → 17.02 |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
Changed in charm-nova-cloud-controller: | |
status: | Fix Committed → Fix Released |
My first thoughts for fixing it are:
1) Changing admin_api rule from
"admin_api": "is_admin:True" or_admin"
to
"admin_api": "rule:service_
2) Changing the charm to grant admin to the service users on the service project in the service domain.