Description:
With keystone configured for federated access (SAML) Sahara cannot create trusts due to 'unable to find role'
Steps to reproduce:
Configure keystone for federation such as SAML or OID
Expected Results:
federated users are ephemeral but consume a role (_member_) based on group membership, role based access should work.
actual results:
Sahara - RESP BODY: {"error": {"message": "Could not find role: 9fe2ff9ee4384b1894a90878d3e92bab", "code": 404, "title": "Not Found"}}
and finally:
Unable to create trust (reason: Could not find role: 9fe2ff9ee4384b1894a90878d3e92bab (HTTP 404)
openstack role list (doesn't seem to make much sense Sahara can't find the _member_ role)
+----------------------------------+-----------------+
| ID | Name |
+----------------------------------+-----------------+
| 79fedf162a664cdbb6de7117d4998566 | ResellerAdmin |
| 87cf7f569672416db4027839aaa93eec | heat_stack_user |
| 897d116732174ee8be888aba12b7a550 | admin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
+----------------------------------+-----------------+
this goes for Murano and heat also - the same result - the federated users role cannot be found.
Reproducibility:
configure keystone v3 API for federation
Workaround:
unknown - I would especially like to know of any workaround this? any feedback is appreciated
Impact:
federation users cannot access Sahara and Murano or heat, this would mean, for me, needing to create manual accounts for +500 students and revert to keystone v2 with users in SQL backend, breaks SSO, identity lifecycle management and UX.
Description of the environment:
Operation system: Ubuntu with MOS packages
Versions of components: fuel 9.0
Reference architecture: HA with ceph
Network model: GRE
Related projects installed: Murano, Sahara
Additional information:
here's something weird - EVERYTHING else works with federated users including swift with ceph hammer backend, but apparently this should not work until ceph jewel https://bugs.launchpad.net/mos/10.0.x/+bug/1498552
How are the other services working with role based access as group members? - they are not relying yet on the shadow users bp, can the same approach be configured in murano, sahara, heat?
fuel fuel-version
api: '1'
auth_required: true
feature_groups:
- experimental
- advanced
openstack_version: mitaka-9.0
release: '9.0'
Description:
With keystone configured for federated access (SAML) Sahara cannot create trusts due to 'unable to find role'
Steps to reproduce:
Configure keystone for federation such as SAML or OID
Expected Results:
federated users are ephemeral but consume a role (_member_) based on group membership, role based access should work.
actual results: 894a90878d3e92b ab", "code": 404, "title": "Not Found"}}
Sahara - RESP BODY: {"error": {"message": "Could not find role: 9fe2ff9ee4384b1
and finally: 894a90878d3e92b ab (HTTP 404)
Unable to create trust (reason: Could not find role: 9fe2ff9ee4384b1
openstack role list (doesn't seem to make much sense Sahara can't find the _member_ role) ------- ------- ------- ------- +------ ------- ----+ ------- ------- ------- ------- +------ ------- ----+ bb6de7117d49985 66 | ResellerAdmin | db4027839aaa93e ec | heat_stack_user | 8be888aba12b7a5 50 | admin | 894a90878d3e92b ab | _member_ | ------- ------- ------- ------- +------ ------- ----+
+------
| ID | Name |
+------
| 79fedf162a664cd
| 87cf7f569672416
| 897d116732174ee
| 9fe2ff9ee4384b1
+------
this goes for Murano and heat also - the same result - the federated users role cannot be found.
Sahara snippet:
DEBUG keystoneclient. auth.identity. v3.base [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Making authentication request to http:// 172.25. 60.5:5000/ v3/auth/ tokens get_auth_ref /usr/lib/ python2. 7/dist- packages/ keystoneclient/ auth/identity/ v3/base. py:188 auth.identity. v3.base [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Making authentication request to http:// 172.25. 60.5:5000/ v3/auth/ tokens get_auth_ref /usr/lib/ python2. 7/dist- packages/ keystoneclient/ auth/identity/ v3/base. py:188 session [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] REQ: curl -g -i --insecure -X POST http:// 172.25. 60.5:35357/ v3/OS-TRUST/ trusts -H "User-Agent: python- keystoneclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}cbd449463 62e5abd7f0a4bd2 5512a85a178cc87 c" -d '{"trust": {"impersonation": true, "trustor_user_id": "43951d0af69848 268f07937c12fa3 6fd", "allow_ redelegation" : true, "roles": [{"name": "_member_"}], "trustee_user_id": "d29432ca2fdf4b 0996b0134715593 4df", "project_id": "307a375b43274f 779d89b0512824a 054"}}' _http_log_request /usr/lib/ python2. 7/dist- packages/ keystoneclient/ session. py:206 session [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] RESP: [404] Content-Length: 114 Vary: X-Auth-Token Server: Apache Connection: close Date: Tue, 20 Sep 2016 17:02:47 GMT Content-Type: application/json x-openstack- request- id: req-b74e985d- d32d-4857- 8f3c-ec4c014fb1 07 894a90878d3e92b ab", "code": 404, "title": "Not Found"}} python2. 7/dist- packages/ keystoneclient/ session. py:231 session [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Request returned failure status: 404 request /usr/lib/ python2. 7/dist- packages/ keystoneclient/ session. py:419 service. trusts [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Unable to create trust (reason: Could not find role: 9fe2ff9ee4384b1 894a90878d3e92b ab (HTTP 404) (Request-ID: req-b74e985d- d32d-4857- 8f3c-ec4c014fb1 07)) 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Error during rollback of cluster (reason: Failed to create trust 0fb6-4856- 9d29-d0f085c0e9 93) 9ac1-4445- 8c01-ac2d766b02 c3] Traceback (most recent call last): 9ac1-4445- 8c01-ac2d766b02 c3] File "/usr/lib/ python2. 7/dist- packages/ sahara/ service/ ops.py" , line 210, in wrapper 9ac1-4445- 8c01-ac2d766b02 c3] if _rollback_ cluster( cluster, ex): 9ac1-4445- 8c01-ac2d766b02 c3] File "/usr/lib/ python2. 7/dist- packages/ sahara/ service/ ops.py" , line 238, in _rollback_cluster 9ac1-4445- 8c01-ac2d766b02 c3] _setup_ trust_for_ cluster( cluster) 9ac1-4445- 8c01-ac2d766b02 c3] File "/usr/lib/ python2. 7/dist- packages/ sahara/ service/ ops.py" , line 180, in _setup_ trust_for_ cluster 9ac1-4445- 8c01-ac2d766b02 c3] trusts. create_ trust_for_ cluster( cluster) 9ac1-4445- 8c01-ac2d766b02 c3] File "/usr/lib/ python2. 7/dist- packages/ sahara/ service/ trusts. py", line 97, in create_ trust_for_ cluster 9ac1-4445- 8c01-ac2d766b02 c3] allow_redelegat ion=True) 9ac1-4445- 8c01-ac2d766b02 c3] File "/usr/lib/ python2. 7/dist- packages/ sahara/ service/ trusts. py", line 75, in create_trust 9ac1-4445- 8c01-ac2d766b02 c3] raise ex.CreationFail ed(_('Failed to create trust')) 9ac1-4445- 8c01-ac2d766b02 c3] CreationFailed: Failed to create trust 9ac1-4445- 8c01-ac2d766b02 c3] Error ID: 2d5ce02c- 0fb6-4856- 9d29-d0f085c0e9 93 9ac1-4445- 8c01-ac2d766b02 c3] utils.cluster [req-3b19bf3e- 6bbb-4e6f- 88cb-921a3cf8bb ca 43951d0af698482 68f07937c12fa36 fd 307a375b43274f7 79d89b0512824a0 54 - - -] [instance: none, cluster: 58f9e615- 9ac1-4445- 8c01-ac2d766b02 c3] Cluster status has been changed. New status=Error
2016-09-20 17:02:47.302 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.412 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.560 27869 DEBUG keystoneclient.
RESP BODY: {"error": {"message": "Could not find role: 9fe2ff9ee4384b1
_http_log_response /usr/lib/
2016-09-20 17:02:47.561 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.562 27869 ERROR sahara.
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [req-3b19bf3e-
Error ID: 2d5ce02c-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:48.182 27869 INFO sahara.
Reproducibility:
configure keystone v3 API for federation
Workaround:
unknown - I would especially like to know of any workaround this? any feedback is appreciated
Impact:
federation users cannot access Sahara and Murano or heat, this would mean, for me, needing to create manual accounts for +500 students and revert to keystone v2 with users in SQL backend, breaks SSO, identity lifecycle management and UX.
Description of the environment: /bugs.launchpad .net/mos/ 10.0.x/ +bug/1498552
Operation system: Ubuntu with MOS packages
Versions of components: fuel 9.0
Reference architecture: HA with ceph
Network model: GRE
Related projects installed: Murano, Sahara
Additional information:
here's something weird - EVERYTHING else works with federated users including swift with ceph hammer backend, but apparently this should not work until ceph jewel
https:/
How are the other services working with role based access as group members? - they are not relying yet on the shadow users bp, can the same approach be configured in murano, sahara, heat?
this bug is addressed here: /review. openstack. org/#/c/ 284943/
https:/
can this be backported to mitaka? or can I patch keystone manually in the meantime.