kolla

heat failing when using trusted user

Bug #1628353 reported by Martin Matyáš on 2016-09-28

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
kolla	Fix Released	Critical	Martin Matyáš	kolla newton-rc2 "rc2"
Liberty	Won't Fix	Undecided	Unassigned
Mitaka	Won't Fix	Undecided	Unassigned

Bug Description

when using heat's trused user, heat reports error and not authenticating trusted user correctly. Example - magnum deployment/usage.

Error logs - heat-engine.log:
ERROR heat.engine.resource [req-bea8a6ff-e5f1-4fad-93b7-4db698ba0c87 - 49138cae8da64c1ba1a2eb74497f4fe8 - - -] Resource type OS::Cinder::Volume unavailable
ERROR heat.engine.resource Traceback (most recent call last):
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/engine/resource.py", line 184, in _validate_service_availability
ERROR heat.engine.resource (svc_available, reason) = cls.is_service_available(context)
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/engine/resource.py", line 694, in is_service_available
ERROR heat.engine.resource service_name=cls.default_client_name)
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/engine/clients/client_plugin.py", line 172, in does_endpoint_exist
ERROR heat.engine.resource endpoint_type=endpoint_type)
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/engine/clients/client_plugin.py", line 96, in url_for
ERROR heat.engine.resource keystone_session = self.context.keystone_session
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/common/context.py", line 149, in keystone_session
ERROR heat.engine.resource if self.auth_needs_refresh():
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/heat/common/context.py", line 162, in auth_needs_refresh
ERROR heat.engine.resource auth_ref = self.auth_plugin.get_auth_ref(self._keystone_session)
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 181, in get_auth_ref
ERROR heat.engine.resource return self._plugin.get_auth_ref(session, **kwargs)
ERROR heat.engine.resource File "/var/lib/kolla/venv/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 137, in get_auth_ref
ERROR heat.engine.resource 'Authentication cannot be scoped to multiple targets. Pick '
ERROR heat.engine.resource AuthorizationFailure: Authentication cannot be scoped to multiple targets. Pick one of: project, domain, trust or unscoped
ERROR heat.engine.resource

This is caused by wrong heat trustee configuration in kolla's heat template. References:
https://ask.openstack.org/en/question/85499/problem-authentication-cannot-be-scoped-to-multiple-targets/
https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=5a3618d4f51a64cc9ef16d9365aa7190b3f5914e
https://github.com/openstack/heat/blob/dd707bc997715365dc76a3decea7b4f8d658375f/devstack/lib/heat#L171-L179

project_domain_id and project_name should be removed from ansible/roles/heat/templates/heat.conf.j2

Workaround:
before kolla deployment, create
/etc/kolla/config/heat.conf:
[trustee]
project_domain_id =
project_name =

Jeffrey Zhang (jeffrey4l) on 2016-09-28

Changed in kolla:
milestone:	none → newton-rc2
assignee:	nobody → Martin Matyáš (martinx-maty)

Duong Ha-Quang (duonghq) on 2016-09-28

Changed in kolla:
importance:	Undecided → Critical

Martin Matyáš (martinx-maty) on 2016-09-28

Changed in kolla:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-28: Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.openstack.org/378221

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-29: Fix merged to kolla (master)

Reviewed: https://review.openstack.org/378221
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=57ba2cd22f5b0ff1c38d0ec3ffdc8ab83b788ba2
Submitter: Jenkins
Branch: master

commit 57ba2cd22f5b0ff1c38d0ec3ffdc8ab83b788ba2
Author: Martin Matyáš <email address hidden>
Date: Tue Sep 27 20:54:43 2016 -0700

Fix wrong heat trustee configuration

    "project_domain_id" and "project_name"
    cannot be specified [trustee] section or keystone will throw a
    "cannot be scoped to multiple targets" error when we attempt to get
    a token scoped to a trust.

Change-Id: I167c0e31835d05b8069fd931ef76fb337dd99207
Closes-Bug: #1628353

Changed in kolla:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-13: Fix included in openstack/kolla 3.0.0.0rc2

This issue was fixed in the openstack/kolla 3.0.0.0rc2 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.