OpenStack Identity (keystone)

When using Keystone API v3, catalog won't be returned

Bug #1361422 reported by David Hill on 2014-08-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Expired	High	Unassigned

Bug Description

Warning: I don't know if that should be working or not, but heat 2014.1.2 doesn't seem to get a catalog where as heat 2013.2.3 seems to be getting along pretty well. I downgraded the packages, read everything that had to be read, patched the code and the verdict is always the same. It appears that keystone v3 doesn't return the catalog and heat depends on it (well it's complaining about it so I guess it needs it)

Hi guys,

It appears that in Icehouse (well in my setup and probably the setup of some other guys too) the catalog won’t be returned when the keystone v3 api is being used….
What am I missing?

[root@labctrl ~]# keystone catalog
'NoneType' object has no attribute 'has_service_catalog'

Catalog:
catalog.RegionOne.identity.publicURL = http://IP:$(public_port)s/v3
catalog.RegionOne.identity.adminURL = http://IP:$(admin_port)s/v3
catalog.RegionOne.identity.internalURL = http://IP:$(public_port)s/v3
catalog.RegionOne.identity.name = Identity Service

Keystone-paste.ini
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension service_v3

Thanks,

Dave

From: David Hill
Sent: 25-Aug-14 4:11 PM
To: openstack
Subject: Re: [Openstack] Heat: 2014.1.2-0 vs Keystone

Hi guys,

This is what heat-engine gets back :
RESP BODY: {"token": {"methods": ["token"], "roles": [{"id": "59bd5c58fe344eeab3bc3443b82155a0", "name": "Member"}, {"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}, {"id": "c119300b61bb4bfeafdf9ccc8ea3efae", "name": "Admin"}, {"id": "e80ca12406714be799fc9066d5978dbb", "name": "Owner"}], "expires_at": "2014-08-26T20:07:11.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "85bcc32e66b54c8bb52f28cb58319758", "name": "monitoring"}, "catalog": {}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "ccba454033204a7ba96b67ddaaacf00a", "name": "monitoring"}, "issued_at": "2014-08-25T20:07:12.589937Z"}}
_send_request /usr/lib/python2.6/site-packages/keystoneclient/session.py:297

Notice the catalog”: {} ? I’m not sure but… shouldn’t contain the actual catalog?

Dave

From: David Hill
Sent: 25-Aug-14 4:41 AM
To: 'openstack'
Subject: Heat: 2014.1.2-0 vs Keystone

Hi guys,

I’m trying to get Heat to work … but everytime I try to create a stack, the engine will fail at getting the catalog.
Since everything is working fine (ceilometer,nova,cinder,glance), am I forgetting something?

StackValidationFailed_Remote: Property error : WikiDatabase: ImageId The service catalog is empty.

Here is the catalog:
catalog.RegionOne.identity.publicURL = http://IP:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://IP:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://IP:$(public_port)s/v2.0
catalog.RegionOne.identity.name = Identity Service
catalog.RegionOne.compute.publicURL = http://IP:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.adminURL = http://IP:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.internalURL = http://IP:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.name = Compute Service
catalog.RegionOne.volume.publicURL = http://IP:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.adminURL = http://IP:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.internalURL = http://IP:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.name = Volume Service
catalog.RegionOne.ec2.publicURL = http://IP:8773/services/Cloud
catalog.RegionOne.ec2.adminURL = http://IP:8773/services/Admin
catalog.RegionOne.ec2.internalURL = http://IP:8773/services/Cloud
catalog.RegionOne.ec2.name = EC2 Service
catalog.RegionOne.image.publicURL = http://IP:9292/
catalog.RegionOne.image.adminURL = http://IP:9292/
catalog.RegionOne.image.internalURL = http://IP:9292/
catalog.RegionOne.image.name = Image Service
catalog.RegionOne.object_store.publicURL = http://IP:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.adminURL = http://IP:8080/
catalog.RegionOne.object_store.internalURL = http://IP:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.name = Swift Service
catalog.RegionOne.cloudformation.publicURL = http://IP:8000/v1
catalog.RegionOne.cloudformation.adminURL = http://IP:8000/v1
catalog.RegionOne.cloudformation.internalURL = http://IP:8000/v1
catalog.RegionOne.cloudformation.name = Heat CloudFormation API
catalog.RegionOne.heat.publicURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.heat.adminURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.heat.internalURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.heat.name = Heat API
catalog.RegionOne.orchestration.publicURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.adminURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.internalURL = http://IP:8004/v1/$(tenant_id)s
catalog.RegionOne.orchestration.name = Heat API
catalog.RegionOne.ceilometer.publicURL = http://IP:8777/
catalog.RegionOne.ceilometer.adminURL = http://IP:8777/
catalog.RegionOne.ceilometer.internalURL = http://IP:8777/
catalog.RegionOne.ceilometer.name = Ceilometer Metering
catalog.RegionOne.metering.publicURL = http://IP:8777/
catalog.RegionOne.metering.adminURL = http://IP:8777/
catalog.RegionOne.metering.internalURL = http://IP:8777/
catalog.RegionOne.metering.name = Ceilometer Metering

/etc/heat/heat.conf

[DEFAULT]
verbose = True
debug = True
use_stderr = False
log_file = /var/log/heat/engine.log
use_syslog = False
heat_stack_user_role = heat_stack_user
instance_connection_is_secure = 0
instance_connection_https_validate_certificates = 1
bind_host = 0.0.0.0
bind_port = 8001
heat_metadata_server_url = http://IP:8000
heat_waitcondition_server_url = http://IP:8000/v1/waitcondition
heat_watch_server_url = http://IP:8003
sql_connection = mysql://USER:PASSWORD@IP/heat
db_backend=heat.db.sqlalchemy.api
rpc_backend=heat.openstack.common.rpc.impl_kombu
auth_encryption_key=AUTH_KEY
rabbit_host=localhost
rabbit_port=5672

[keystone_authtoken]
admin_tenant_name = TENANT
admin_user = USER
admin_password = PASSWORD
auth_host = IP
auth_port = 35357
auth_protocol = http
auth_uri = http://IP:5000/v2.0
admin_token = TOKEN

[ec2authtoken]
auth_uri http://IP:5000/v2.0

[paste_deploy]
api_paste_config=api-paste.ini
flavor = keystone

api-paste.ini

[pipeline:heat-api]
pipeline = versionnegotiation authurl authtoken context apiv1app
[pipeline:heat-api-keystone]
pipeline = versionnegotiation authurl authtoken context apiv1app
[pipeline:heat-api-cfn]
pipeline = cfnversionnegotiation ec2authtoken authtoken context apicfnv1app
[pipeline:heat-api-cfn-standalone]
pipeline = cfnversionnegotiation ec2authtoken context apicfnv1app
[app:apicwapp]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cloudwatch:API
[app:apicfnv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.cfn.v1:API
[filter:cfnversionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.cfn:version_negotiation_filter
[filter:ec2authtoken]
paste.filter_factory = heat.api.aws.ec2token:EC2Token_filter_factory
[pipeline:heat-api-cloudwatch]
pipeline = versionnegotiation ec2authtoken authtoken context apicwapp
[pipeline:heat-api-cloudwatch-standalone]
pipeline = versionnegotiation ec2authtoken context apicwapp
[pipeline:heat-api-cfn-keystone]
pipeline = versionnegotiation authurl authtoken context apiv1app
[pipeline:heat-api-cloudwatch-keystone]
pipeline = versionnegotiation authurl authtoken context apiv1app
[pipeline:heat-api-custombackend]
pipeline = versionnegotiation context custombackendauth apiv1app
[pipeline:heat-api-caching]
pipeline = versionnegotiation authurl authtoken context cache apiv1app
[pipeline:heat-api-keystone+caching]
pipeline = versionnegotiation authurl authtoken context cache apiv1app
[pipeline:heat-api-cachemanagement]
pipeline = versionnegotiation authurl authtoken context cache cachemanage apiv1app
[pipeline:heat-api-keystone+cachemanagement]
pipeline = versionnegotiation auth-context cache cachemanage apiv1app
[app:apiv1app]
paste.app_factory = heat.common.wsgi:app_factory
heat.app_factory = heat.api.openstack.v1:API
[filter:versionnegotiation]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.openstack:version_negotiation_filter
[filter:cache]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.middleware.cache:CacheFilter
[filter:cachemanage]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = heat.api.middleware.cache_manage:CacheManageFilter
[filter:context]
paste.filter_factory = heat.common.context:ContextMiddleware_filter_factory
[filter:authurl]
paste.filter_factory = heat.common.auth_url:filter_factory
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
[filter:auth-context]
paste.filter_factory = heat.common.wsgi:filter_factory
heat.filter_factory = keystone.middleware.heat_auth_token:KeystoneContextMiddleware
[filter:custombackendauth]
paste.filter_factory = heat.common.custom_backend_auth:filter_factory

Tags:

Revision history for this message

David Hill (david-hill-ubisoft) wrote on 2014-08-26:

Perhaps: https://bugs.launchpad.net/keystone/+bug/1313458

I still don't get the catalog but this solves my heat issue !

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-09-04:

David,

Could you post the curl request if you haven't already?

Changed in keystone:
milestone:	none → juno-rc1

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-09-04:

David: are you using the KVS or templated catalog backend (instead of SQL)?

tags:	added: icehouse-backport-potential removed: hava icehouse
Changed in keystone:
status:	New → Incomplete

Dolph Mathews (dolph) on 2014-09-04

Changed in keystone:
importance:	Undecided → High

Dolph Mathews (dolph) on 2014-09-09

Changed in keystone:
assignee:	nobody → Adam Young (ayoung)

Revision history for this message

Adam Young (ayoung) wrote on 2014-09-09:

There are two cases where you will not get back a service catalog.

1. You are using the SERVICE_TOKEN. The error you specify above (None Type...) is one of the indicators that you have this problem

2. The user does not have a default project. You will get back an unscoped token, and no service catalog. While there is a bug fix to keystoneclient that attempts to work around the problem by allowing the enumeration of projects with an unscoped token, this is quite possible to do today talking to Keystone. The issue is that you need to know what URI to append to the AUTH_URL in order to enumerate projects. Once you know the project, you can request a token scoped to that project and you will get a service catalog.

Dolph Mathews (dolph) on 2014-09-11

tags:	removed: bug
Changed in keystone:
milestone:	juno-rc1 → none

Morgan Fainberg (mdrnstm) on 2014-09-23

Changed in keystone:
assignee:	Adam Young (ayoung) → nobody

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-11-23:

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.