Default domain no longer lets keystone tenant-list work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Morgan Fainberg | ||
Kilo |
Won't Fix
|
Medium
|
Morgan Fainberg | ||
Liberty |
Fix Released
|
Medium
|
Morgan Fainberg |
Bug Description
We recently upgraded from kilo.0 to kilo.2 in our dev environment and noticed that keystone tenant-list is always failing for the admin user.
Our config is as follows default domain is tied to read-only ldap (AD), a heat domain is created to use for trusts to handle the created heatstack users/passwords. Under kilo.0 everything was happy. Under kilo0.2 we get the following error:
keystone tenant-list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-d30289f0-
The main error message is:
2015-12-16 17:07:36.493 20386 WARNING keystone.
Looking at the differences between kilo.0 and kilo.2 it seems like: https:/
tags: | added: kilo-backport-potential |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
status: | New → In Progress |
I reverted the above commit and restarted keystone. keystone teant-list works correctly again.
Kilo.2 with the above referenced commit:
$ keystone tenant-list
Invalid OpenStack Identity credentials.
kilo.2 with tht changed reverted:
$ keystone tenant-list ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ ---+ ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ ---+
+------
| id | name | enabled |
+------
All projects.
Change that I made: domain_ id(ref) : 'domain_ id', None) default_ domain_ id: Unauthorized(
224 def filter_
225 """Remove domain_id since v2 calls are not domain-aware."""
226 ref.pop(
227 #if 'domain_id' in ref:
228 # if ref['domain_id'] != CONF.identity.
229 # raise exception.
230 # _('Non-default domain is not supported'))
231 # del ref['domain_id']
232 return ref
We attempted to make sure that the we set the default_domain_id to "default" which is the default - and we had the same unauthorized/ invalid credentials error.