When trying to authenticate against https://192.168.24.2/keystone/v3/auth/tokens with CORS (the OPTIONS req), I get a 500 error. Inside the keystone container, the logs have this:
018-11-05 19:01:33.396 230 DEBUG keystone.common.rbac_enforcer.enforcer [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] RBAC: Policy Enforcement Cred Data `identity:validate_token creds(service_project_id=None, service_user_id=None, service_user_domain_id=None, service_project_domain_id=None, trustor_id=None, user_domain_id=default, domain_id=None, trust_id=None, project_domain_id=default, service_roles=[], group_ids=[], user_id=f2ff68e4483344268c959e3dcf6b8b45, roles=[u'member', u'reader', u'admin'], system_scope=None, trustee_id=None, domain_name=None, is_admin_project=True, token=*** (audit_id=RyLKr6cyRLC2p6oV5-52Cg, audit_chain_id=[u'RyLKr6cyRLC2p6oV5-52Cg']) at 0x7f371cf0dc50>, project_id=53568db657e445a49d40a25c4a7fdd42)` enforce_call /usr/lib/python2.7/site-packages/keystone/common/rbac_enforcer/enforcer.py:418
2018-11-05 19:01:33.396 230 DEBUG keystone.common.rbac_enforcer.enforcer [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] RBAC: Policy Enforcement Target Data `identity:validate_token => target(target.token.user.domain.id=default, target.token.user_id=5f351e642aa54a1abc20726ffe9bcc04)` enforce_call /usr/lib/python2.7/site-packages/keystone/common/rbac_enforcer/enforcer.py:426
2018-11-05 19:01:33.415 230 DEBUG keystone.common.rbac_enforcer.enforcer [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] RBAC: Authorization granted enforce_call /usr/lib/python2.7/site-packages/keystone/common/rbac_enforcer/enforcer.py:432
2018-11-05 19:01:33.425 230 ERROR keystone.assignment.core [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] Circular reference found role inference rules - 5be439ef59e949b28f7e38599a828374.
2018-11-05 19:01:33.433 230 ERROR keystone.assignment.core [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] Circular reference found role inference rules - 5be439ef59e949b28f7e38599a828374.
2018-11-05 19:01:33.447 230 ERROR keystone.assignment.core [req-def53dc3-9ac5-4470-9d21-7f737534dc90 f2ff68e4483344268c959e3dcf6b8b45 53568db657e445a49d40a25c4a7fdd42 - default default] Circular reference found role inference rules - 5be439ef59e949b28f7e38599a828374.
This is blocking the tripleo-ui because I can't log in. It's a brand new install using reproducer in RDO cloud. The deployment finished successfully.
<jrist> hi all. we've got a bug in tripleo that seems like it's keystone. does anyone have a moment to look? https:/ /bugs.launchpad .net/bugs/ 1801778
<openstack> Launchpad bug 1801778 in tripleo "Keystone circular reference on OPTIONS" [High,Triaged]
<lbragstad> jrist it's detecting a circular reference in your roles
<jrist> it sort of seemed like that. do you happen to have any insight on how we might go about fixing?
<jrist> I'm clueless.
<lbragstad> specifically, the role implication has a circular reference
<lbragstad> jrist you can query the implied role linkage using openstackclient
<lbragstad> `openstack implied role list` should give you that information, which you should be able to use to track down the circular reference
<lbragstad> biab
<jrist> thanks lbragstad