kolla-ansible

1044, \"Access denied for user 'root'@'%' to database 'keystone'\")

Bug #1794422 reported by men on 2018-09-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Invalid	Undecided	Unassigned

Bug Description

TASK [keystone : Creating Keystone database user and setting permissions] *************************************************************
task path: /usr/share/kolla-ansible/ansible/roles/keystone/tasks/bootstrap.yml:17
<kolla1> ESTABLISH SSH CONNECTION FOR USER: None
<kolla1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 kolla1 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<kolla1> (0, '/root\n', '')
<kolla1> ESTABLISH SSH CONNECTION FOR USER: None
<kolla1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 kolla1 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436 `" && echo ansible-tmp-1537944350.87-251408941978436="` echo /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436 `" ) && sleep 0'"'"''
<kolla1> (0, 'ansible-tmp-1537944350.87-251408941978436=/root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436\n', '')
Using module file /usr/share/kolla-ansible/ansible/library/kolla_toolbox.py
<kolla1> PUT /root/.ansible/tmp/ansible-local-27146swXZjx/tmpps7Xsy TO /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/kolla_toolbox.py
<kolla1> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 '[kolla1]'
<kolla1> (0, 'sftp> put /root/.ansible/tmp/ansible-local-27146swXZjx/tmpps7Xsy /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/kolla_toolbox.py\n', '')
<kolla1> ESTABLISH SSH CONNECTION FOR USER: None
<kolla1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 kolla1 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/ /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/kolla_toolbox.py && sleep 0'"'"''
<kolla1> (0, '', '')
<kolla1> ESTABLISH SSH CONNECTION FOR USER: None
<kolla1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 -tt kolla1 '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/kolla_toolbox.py && sleep 0'"'"''
<kolla1> (0, '\r\n{"msg": "(1044, \\"Access denied for user \'root\'@\'%\' to database \'keystone\'\\")", "failed": true, "changed": false, "invocation": {"module_args": {"module_name": "mysql_user", "module_extra_vars": null, "api_version": "auto", "module_args": {"login_port": "3306", "name": "keystone", "login_user": "root", "login_host": "10.49.252.70", "append_privs": "yes", "host": "%", "login_password": "abc@123", "password": "RsWmvtMU6EYigwT3MBQX88IJ8gl4qahJRqRtoaun", "priv": "keystone.*:ALL"}}}}\r\n', 'Shared connection to kolla1 closed.\r\n')
<kolla1> ESTABLISH SSH CONNECTION FOR USER: None
<kolla1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/65b28576c9 kolla1 '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1537944350.87-251408941978436/ > /dev/null 2>&1 && sleep 0'"'"''
<kolla1> (0, '', '')
fatal: [kolla1 -> kolla1]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "api_version": "auto",
            "module_args": {
                "append_privs": "yes",
                "host": "%",
                "login_host": "10.49.252.70",
                "login_password": "abc@123",
                "login_port": "3306",
                "login_user": "root",
                "name": "keystone",
                "password": "RsWmvtMU6EYigwT3MBQX88IJ8gl4qahJRqRtoaun",
                "priv": "keystone.*:ALL"
            },
            "module_extra_vars": null,
            "module_name": "mysql_user"
        }
    },
    "msg": "(1044, \"Access denied for user 'root'@'%' to database 'keystone'\")"
}

NO MORE HOSTS LEFT *****************************************************************
to retry, use: --limit @/usr/share/kolla-ansible/ansible/site.retry

PLAY RECAP *********************************************************************************
kolla1 : ok=52 changed=0 unreachable=0 failed=1
kolla2 : ok=41 changed=0 unreachable=0 failed=0
kolla3 : ok=39 changed=0 unreachable=0 failed=0
localhost : ok=1 changed=0 unreachable=0 failed=0

openstack:queens
[root@kolla1 ~]# pip list |grep kolla
kolla-ansible 6.1.1.dev7

For example: kolla3=mariadb service

[mariadb:children] Change [mariadb]
[root@kolla1 ~]# egrep -v "^#|^$" multinode
[control]
kolla1
kolla2
kolla3
[network]
kolla1
[inner-compute]
[external-compute]
kolla2
............
[mariadb]
kolla3

Increase the following parameters
/etc/kolla/globals.yml
enable_external_mariadb_load_balancer: "yes"
use_preconfigured_databases: "no"
enable_mariadb: "no"

The database and user have been created but found out that this permission is incorrect?

Should this give permission:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'RsWmvtMU6EYigwT3MBQX88IJ8gl4qahJRqRtoaun';

MariaDB [keystone]> show grants for keystone;
+---------------------------------------------------------------------------------------------------------+
| Grants for keystone@% |
+---------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'keystone'@'%' IDENTIFIED BY PASSWORD '*A3B000B3A06E2A89695AFDD0149F0F55C9901A09' |
+---------------------------------------------------------------------------------------------------------+

Explain that the node cannot remotely log in to the mysql database as root ? I don't quite understand how kolla accesses the database in this mode.
(1044, \"Access denied for user 'root'@'%' to database 'keystone'\")

Radosław Piliszek (yoctozepto) on 2019-06-26

Changed in kolla:
status:	New → Incomplete
affects:	kolla → kolla-ansible

Revision history for this message

Radosław Piliszek (yoctozepto) wrote on 2019-06-26:

In this case kolla-ansible tries to use `database_password` as root password to create the `keystone` user by itself. If keystone user is to be precreated then the database must be too and the variable value needs to be changed.

# Whether to use pre-configured databases / users
use_preconfigured_databases: "no"

Changed in kolla-ansible:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.