federated users cannot use Murano or Sahara
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Won't Fix
|
High
|
MOS Keystone | ||
8.0.x |
Won't Fix
|
High
|
MOS Keystone | ||
Mitaka |
Fix Released
|
High
|
MOS Keystone | ||
Newton |
Won't Fix
|
High
|
MOS Keystone |
Bug Description
Users considering using that feature, please read comment #17 first https:/
fuel fuel-version
api: '1'
auth_required: true
feature_groups:
- experimental
- advanced
openstack_version: mitaka-9.0
release: '9.0'
Description:
With keystone configured for federated access (SAML) Sahara cannot create trusts due to 'unable to find role'
Steps to reproduce:
Configure keystone for federation such as SAML or OID
Expected Results:
federated users are ephemeral but consume a role (_member_) based on group membership, role based access should work.
actual results:
Sahara - RESP BODY: {"error": {"message": "Could not find role: 9fe2ff9ee4384b1
and finally:
Unable to create trust (reason: Could not find role: 9fe2ff9ee4384b1
openstack role list (doesn't seem to make much sense Sahara can't find the _member_ role)
+------
| ID | Name |
+------
| 79fedf162a664cd
| 87cf7f569672416
| 897d116732174ee
| 9fe2ff9ee4384b1
+------
this goes for Murano and heat also - the same result - the federated users role cannot be found.
Sahara snippet:
DEBUG keystoneclient.
2016-09-20 17:02:47.302 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.412 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.560 27869 DEBUG keystoneclient.
RESP BODY: {"error": {"message": "Could not find role: 9fe2ff9ee4384b1
_http_log_response /usr/lib/
2016-09-20 17:02:47.561 27869 DEBUG keystoneclient.
2016-09-20 17:02:47.562 27869 ERROR sahara.
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [req-3b19bf3e-
Error ID: 2d5ce02c-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:47.698 27869 ERROR sahara.service.ops [instance: none, cluster: 58f9e615-
2016-09-20 17:02:48.182 27869 INFO sahara.
Reproducibility:
configure keystone v3 API for federation
Workaround:
unknown - I would especially like to know of any workaround this? any feedback is appreciated
Impact:
federation users cannot access Sahara and Murano or heat, this would mean, for me, needing to create manual accounts for +500 students and revert to keystone v2 with users in SQL backend, breaks SSO, identity lifecycle management and UX.
Description of the environment:
Operation system: Ubuntu with MOS packages
Versions of components: fuel 9.0
Reference architecture: HA with ceph
Network model: GRE
Related projects installed: Murano, Sahara
Additional information:
here's something weird - EVERYTHING else works with federated users including swift with ceph hammer backend, but apparently this should not work until ceph jewel
https:/
How are the other services working with role based access as group members? - they are not relying yet on the shadow users bp, can the same approach be configured in murano, sahara, heat?
this bug is addressed here:
https:/
can this be backported to mitaka? or can I patch keystone manually in the meantime.
Changed in fuel: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
tags: | added: area-heat |
Changed in fuel: | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | MOS Keystone (mos-keystone) → MOS Heat (mos-heat) |
milestone: | none → 9.2 |
Changed in fuel: | |
assignee: | MOS Heat (mos-heat) → Oleksii Chuprykov (ochuprykov) |
Changed in fuel: | |
assignee: | MOS Heat (mos-heat) → Peter Razumovsky (prazumovsky) |
Changed in fuel: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
tags: | added: ct1 customer-found support |
Changed in fuel: | |
milestone: | 9.x-updates → 9.2-mu-1 |
In fact this is a heat issue, heat cannot create the keystone trust because it can't find the federated users role assignment.