OpenStack Identity (keystone)

ec2tokens authentication is failing during Heat tests

Bug #1484086 reported by Thomas Herve on 2015-08-12

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
OpenStack Heat	Fix Released	High	Thomas Herve	OpenStack Heat 5.0.0 "liberty"
Kilo	Fix Released	High	Unassigned	OpenStack Heat 2015.1.3
OpenStack Identity (keystone)	Invalid	Undecided	Unassigned

Bug Description

As seen here for example: http://logs.openstack.org/54/194054/37/check/gate-heat-dsvm-functional-orig-mysql/a812f55/

We're getting the error: "Non-default domain is not supported" which seems to have been introduced here: https://review.openstack.org/#/c/208069/

Tags:

Revision history for this message

Thomas Herve (therve) wrote on 2015-08-12:

From a preliminary study, it seems that as Heat uses ec2 auth for users in a specific domain, it doesn't work anymore on v2.0. Migrating to v3 seems to make the issue goes away, though the token format has changed so it needs to be taken into consideration.

Is the backward incompatible change expected? Is it protecting us from real issues?

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-08-14:

It wasn't a backwards incompatible change so much as resolving an apparent regression. v2 clients are not domain aware as there are no domain references in v2, so the potential for namespace collisions (bug 1475762) would be severe.

Changed in keystone:
status:	New → Incomplete

Revision history for this message

Thomas Herve (therve) wrote on 2015-08-14:

While I don't disagree it fixes an issue, it certainly creates a big one for Heat. I think we can handle that for the next release, but that'd be nice to hold on backporting it until we have something that lands in Kilo.

OpenStack Infra (hudson-openstack) on 2015-08-18

Changed in heat:
assignee:	nobody → Thomas Herve (therve)
status:	New → In Progress

Steven Hardy (shardy) on 2015-08-18

Changed in heat:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-18: Fix merged to heat (master)

Reviewed: https://review.openstack.org/212062
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=b36f4da1925f7be9e0eadb057753241450135364
Submitter: Jenkins
Branch: master

commit b36f4da1925f7be9e0eadb057753241450135364
Author: Thomas Herve <email address hidden>
Date: Wed Aug 12 16:18:11 2015 +0200

Revert failing tests and use v3 for ec2 tokens

Domain users are not supported anymore on v2, so we need to use v3 by
default when authenticating ec2 access.

Change-Id: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4
Closes-Bug: #1484086

Changed in heat:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2015-08-24

tags:

added: kilo-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix proposed to heat (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/216239

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-26: Fix merged to heat (stable/kilo)

Reviewed: https://review.openstack.org/216239
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=7454b7bac82e0fbf1ed39d0e70b09a253b88cec5
Submitter: Jenkins
Branch: stable/kilo

commit 7454b7bac82e0fbf1ed39d0e70b09a253b88cec5
Author: Thomas Herve <email address hidden>
Date: Wed Aug 12 16:18:11 2015 +0200

Revert failing tests and use v3 for ec2 tokens

Domain users are not supported anymore on v2, so we need to use v3 by
default when authenticating ec2 access.

Conflicts:

    - heat/api/aws/ec2token.py: The version discovery code in master was not
      present in stable/kilo, so only half of the fix to master applies to
      stable/kilo.

- heat_integrationtests/scenario/test_ceilometer_alarm.py: These tests
do not exist in stable/kilo.

    Change-Id: Ia7ca08bca612b4555f6b4d9098cd7db6c540b1c4
    Closes-Bug: #1484086
    (cherry picked from commit b36f4da1925f7be9e0eadb057753241450135364)

tags:

added: in-stable-kilo

Doug Hellmann (doug-hellmann) on 2015-09-03

Changed in heat:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Angus Salkeld (asalkeld) on 2015-09-17

tags:

removed: in-stable-kilo kilo-backport-potential

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-09-18:

Restored in-stable-kilo -- I assume you didn't meant to remove it?

tags:

added: in-stable-kilo

Thierry Carrez (ttx) on 2015-10-15

Changed in heat:
milestone:	liberty-3 → 5.0.0

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-03-02:

marking the keystone bit as invalid, since it seems this issue is fixed for heat.

Changed in keystone:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1482123

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.