keystone V3 support needed

I suspect "tenant-name" will need to give way to project-id and user-domain-name, or some such. Here is an example of V3 usage from the cli:

export OS_PROJECT_ID=00ff00ff00ff00ff00ff00ff00ff00ff
export OS_USERNAME=john.doe@local
export OS_USER_DOMAIN_NAME=domain12345
export OS_AUTH_URL=https://f.q.d.n/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=earth
export OS_PASSWORD=FooFooFoo

openstack server list

openstack image list

Keystone v3 support is targetted for Juju 2.0

This was included in 2.0-beta3

This appears to still be a problem.

Scoping between domain and project requires mutually exclusive settings. Compare these novarc files:
http://bazaar.launchpad.net/~ost-maintainers/openstack-charm-testing/trunk/view/head:/novarcv3_project
http://bazaar.launchpad.net/~ost-maintainers/openstack-charm-testing/trunk/view/head:/novarcv3_domain

It would appear that in the project scope the following are not being set in gooes:
OS_PROJECT_DOMAIN_NAME
OS_USER_DOMAIN_NAME

The following did not fully address these requirements:
https://github.com/go-goose/goose/commit/a6ab4cac05e147190aee673670c2ddd9a2f777d2

Ideally, juju gooes should support:
 v2
 v3 domain scope
 v3 project scope

Documentation on the v3 API:
An old but informative simple description of the v3 api:
http://adam.younglogic.com/2013/09/keystone-v3-api-examples/

The full API documentation:
https://developer.openstack.org/api-ref/identity/v3/

Using a project configured v3 auth endpoint I'm unable to bootstrap.

```
OS_REGION_NAME=coolcloud
OS_USER_DOMAIN_NAME=admin_domain
OS_PROJECT_NAME=cloud_kubernetes
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=<REDACTED>
OS_AUTH_URL=http://10.0.3.240:5000/v3
OS_USERNAME=kubernetes_admin
OS_PROJECT_DOMAIN_NAME=jumpin-joy
```

```
$ juju show-cloud my-cloud
defined: local
type: openstack
description: Openstack Cloud
auth-types: [userpass, access-key]
regions:
  coolcloud:
    endpoint: http://10.0.3.240:5000/v3
```

```
$ juju list-credentials --format yaml --show-secrets
credentials:
  my-cloud:
    kubernetes:
      auth-type: userpass
      domain-name: admin_domain
      password: <REDACTED>
      tenant-name: cloud_kubernetes
      username: kubernetes_admin
```

```
$ juju bootstrap --debug my-cloud
19:49:14 INFO juju.cmd supercommand.go:63 running juju [2.1-rc1 gc go1.6.2]
19:49:14 DEBUG juju.cmd supercommand.go:64 args: []string{"juju", "bootstrap", "--debug", "my-cloud"}
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:780 authenticating with region "coolcloud" and credential "kubernetes" ()
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:892 provider attrs: map[use-floating-ip:false use-default-secgroup:false network: external-network:]
19:49:14 INFO cmd cmd.go:141 Adding contents of "/home/ubuntu/.local/share/juju/ssh/juju_id_rsa.pub" to authorized-keys
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:948 preparing controller with config: map[logging-config: enable-os-refresh-update:true external-network: image-metadata-url: agent-stream:released provisioner-harvest-mode:destroyed http-proxy: name:controller proxy-ssh:false ignore-machine-addresses:false authorized-keys:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ax7LrroQh6ayFPH7vfU+/1veF40s6UJF4YeaevTvrx/xELELSjSeEIkQw6KoA/nCysOMUDmkFPfVoe7u5reO37IRWS+c7k/O3MOMTUGlOeGEmDE2trFzoBSNj4lYRuQxDC8ecyk0d0Lui1gEV24ZjT/Wo/d3QUJy/VQojqEztl565+UoaCv5Ck33suD1mYpesoDkJcQv9igArNCqQ/t5QnMxgmhxs0HOF29PI+aGkHMjGBHVL8PQaC95n0B9q1tD0w5DdkFRZQpRaWuvZ1g0ykBNKX+OU5Tp4iq+bU9NH9za8UnBrVgumAXv9gAVjrcWpOo/VUkhvb06FRi63ZCD juju-client-key
 image-stream:released development:false net-bond-reconfigure-delay:17 type:openstack ssl-hostname-verification:true enable-os-upgrade:true no-proxy: network: apt-ftp-proxy: use-default-secgroup:false uuid:4465ae20-ad7c-4e1c-8cf3-31c403ff59ea disable-network-management:false transmit-vendor-metrics:true apt-mirror: resource-tags: https-proxy: default-series:xenial apt-https-proxy: firewall-mode:instance apt-http-proxy: agent-metadata-url: test-mode:false use-floating-ip:false ftp-proxy: logforward-enabled:false automatically-retry-hooks:true]
19:49:14 INFO juju.provider.openstack provider.go:131 opening model "controller"
19:49:15 DEBUG juju.provider.openstack provider.go:763 authentication failed: authentication failed
caused by: requesting token: Unauthorised URL http://10.0.3.240:5000/v3/auth/tokens
caused by: request (http://10.0.3.240:5000/v3/auth/tokens) returned unexpected status: 401; error info: Failed: 401 error: The request you have made requires authentication.
19:49:15 ERROR cmd supercommand.go:458 authentication failed.

Please ensure the credentials are corr...

Bug 1585708 has a fix landing; that should help.

This is not a duplicate. Why was this closed? Juju supporting v3 and charms are two different problem domains.

Marked incorrectly as duplicate based on comment # 6. Un-marking \o/

Just to reinforce, this bug (a Juju provider bug) is in no way related to bug 1585708 (a charm bug).

Goose PR https://github.com/go-goose/goose/pull/40

Juju PR https://github.com/juju/juju/pull/6981

 I am using juju --version 2.1.2-xenial-amd64 and I am still having bootstrap issuestack on provide keystone v3.

This problem has been fixed in which version?

My clientpython openstack works normally.

21:48:45 INFO juju.provider.openstack provider.go:131 opening model "controller"
21:48:46 DEBUG juju.provider.openstack provider.go:765 authentication failed: authentication failed
caused by: requesting token: Unauthorised URL https://api.domain.com:5000/v3/auth/tokens
caused by: request (https://api.domain.com:5000/v3/auth/tokens) returned unexpected status: 401; error info: Failed: 401 error: The request you have made requires authentication.
21:48:46 ERROR cmd supercommand.go:458 authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.
21:48:46 DEBUG cmd supercommand.go:459 (error details: [{github.com/juju/juju/cmd/juju/commands/bootstrap.go:445: } {github.com/juju/juju/environs/bootstrap/prepare.go:99: } {github.com/juju/juju/environs/bootstrap/prepare.go:163: } {github.com/juju/juju/provider/openstack/provider.go:770: authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.}])

Can you provide the content of your Juju credentials file (with secrets redacted). It lives in ~/.local/share/juju/credentials.yaml. And also the ~/.novarc file (or env vars) with secrets redacted for comparison.

Hello Ian!

# juju list-credentials --format yaml --show-secrets
credentials:
  openstack:
    default-region: myregion
    myuser:
      auth-type: userpass
      password: mypass
      tenant-name: myprojectname
      username: myuser

# juju show-cloud openstack
defined: local
type: openstack
description: Openstack Cloud
auth-types: [userpass]
regions:
  myregion:
    endpoint: https://api.domain.com:5000/v3/

Note: my api is in HTTPS

Caused by: request (https://api.domain.com:5000/v3/tokens) returned unexpected status: 404; Error info: Failed: 404 error: The resource could not be found.

I noticed that the URL is not being formed correctly

Caused by: request (https://api.domain.com:5000/v3/tokens) returned unexpected status: 404; Error info: Failed: 404 error: The resource could not be found

The correct one would not be: https://api.domain.com:5000/v3/auth/tokens

I noticed the "auth" in the url is missing.

mycloud.yaml

openstack:
    type: openstack
    auth-types: [userpass]
    endpoint: https://api.domain.com:5000/v3
    regions:
      trm:
        endpoint: https://api.domain.com:5000/v3

mycredentials.yaml

credentials:
  openstack:
    default-credential: myuser
    myuser:
      auth-type: userpass
      tenant-name: myproject
      domain-name: mydomain
      username: myuser
      password: mypass

MY ENV rc_openstak - work ok

export OS_PROJECT_NAME="myproject"
export OS_USER_DOMAIN_NAME="mydomain"

Hi!!! now works fine.

credentials:
  openstack:
    default-credential: myuser
    myuser:
      auth-type: userpass
      tenant-name: myproject
# domain-name: mydomain
      user-domain-name: mydomain
      project-domain-name: mydomain
      username: myuser
      password: mypasswd

but error

14:30:58 ERROR cmd supercommand.go:458 failed to bootstrap model: no image metadata found

Hi Bruno

Great that you got the first part working!

The next part is teaching Juju what openstack images are available. This is done by producing metadata which can either be stored in swift or in a local directory.

This doc shows how to set up the metadata in swift

https://jujucharms.com/docs/devel/howto-privatecloud

This blog post is using Juju 1.25 but the steps outlined are still generally applicable to Juju 2.x

https://blog.felipe-alfaro.com/2014/04/29/bootstraping-juju-on-top-of-an-openstack-private-cloud/

Hi Ian

I performed the procedures and I went through the second phase, now I'm standing still in this, could you help me?

2:15:37 ERROR juju.cmd.juju.commands bootstrap.go:1056 error cleaning up: destroying controller model: destroying instances: failed to get list of server details
caused by: failed unmarshaling the response body: {"servers": [{"status": "ACTIVE", "updated": "2017-05-02T12:22:15Z", "hostId": "3ecf224269edfe46c693983c897711a708859d546f96e32110eaa

Bruno,

By any chance do you have an instance deployed in your openstack which is booted to a volume? If so, you could be hitting this bug: https://bugs.launchpad.net/juju/+bug/1683495

Hi Heather, this resolved my problem!

But now I'm having trouble setting up the security group even if you set the "--config use-default-secgroup=true" option on the bootstrap line it is trying to create a new security group and giving error, has anyone had this problem?

00:16:54 DEBUG juju.provider.openstack firewaller.go:294 deleting security group "juju-b39c0bd4-d789-4711-8f5c-7a3d98e9e39d-6eec5115-cba1-4ea9-8e10-1c849f827f7d"
00:16:55 ERROR cmd supercommand.go:458 failed to bootstrap model: cannot start bootstrap instance: cannot set up groups: failed to create a rule for the security group with id: e88c409f-4185-49ce-8cf4-c47e981c44e7

Tks!

Hi! I am resolved with change firewaller.go my error was related to my IPV6 that the nuage plugin could not support.

I removed all ipv6 lines from the security group's creation of the file firewaller.go and recomputed the juju so it worked the creation of the controller

Bruno,

Perhaps we can move this conversation to <email address hidden> as we've moved off the topic of the bug?

Juju will always create it's own security groups for openstack, "--config use-default-secgroup=true" added the default security group to the list of juju created ones for each
instance. There's a bug on this topic: https://bugs.launchpad.net/juju/+bug/1625830. Sounds
like we need to clarify what this flag does. It's currently described as:
`Whether new machine instances should have the "default" Openstack security group assigned.`
But doesn't say whether that's in replacement of, or addition to the juju created security groups.

All of that said, you can easily skip using that flag. It sounds like you had a different issue going on, which doesn't appear to be a known bug. Can you file a new one? Or ask for help on <email address hidden>, where more people will see it?

Hi!

In my environment as "use-default-secgroup=true" it added the "default" group along with the rules created by juju.

Related list I believe my solution is well specified for SDN nuage plugin without IPV6 support, but if you want you can create it.