kuryr

No support for Keystone v3

Bug #1563011 reported by Mohammad Banikazemi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuxi
Fix Released
Undecided
hongbin
kuryr
Fix Released
Critical
Antoni Segura Puimedon

Bug Description

Currently only Keystone v2 is supported. With the move to v3, we need to add this support.

Mohammad Banikazemi (mb-s)
Changed in kuryr:
importance: Undecided → High
Hui Kang (huikang27)
Changed in kuryr:
assignee: nobody → Hui Kang (huikang27)
Revision history for this message
Hui Kang (huikang27) wrote :

kuryr uses python-neutronclient to connect to the neutron endpoint. It depends on the python-neutronclient. However, the support for keystonev3 seems not available in python-neutronclient as of now. Actually the support for keystone v3 is targeted for newton [1].

Any comment? - Hui

[1] https://blueprints.launchpad.net/neutron/+spec/keystone-v3

Revision history for this message
Fawad Khaliq (fawadkhaliq) wrote :

You could workaround by passing along the token to neutron client. We could add the support for v3 by generating the token in Kuryr until neutron client supports it.

Changed in kuryr:
assignee: Hui Kang (huikang27) → Fawad Khaliq (fawadkhaliq)
Revision history for this message
Fawad Khaliq (fawadkhaliq) wrote :

I can help with the fix

Revision history for this message
Hui Kang (huikang27) wrote :

sounds greats. Thanks, Fawad.
Let me rephrase the solution a bit to make sure I understand you correctly.

The kuryr configuration file generated from Kolla ansible [1] task will be something like

[binding]
admin_user = admin
admin_tenant_name = admin
admin_password = keystone_admin_password

#DEPRECATED, we will not use token for kuryr
admin_token =

auth_uri = https://192.168.10.101:35357/v3

--------------- END OF FILE ------------

This patch will identify this is a v3 auth type. However, this patch will generate token from the admin_user and admin_password.

However, how can you authenticate with keystone because this token is not issued by keystone? Keystone has no knowledge about the token generated by kuryr.

[1] https://review.openstack.org/#/c/298894/10/ansible/roles/kuryr/templates/kuryr.conf.j2
- Hui

Revision history for this message
Hui Kang (huikang27) wrote :

Could anyone add keystone v3 in kuryr?

Here is the doc about how to use keystone v3 client
https://review.openstack.org/#/c/330722/

Once this is done, I can test it with Kolla.

Fawad Khaliq (fawadkhaliq)
Changed in kuryr:
status: New → In Progress
Revision history for this message
Mohammad Banikazemi (mb-s) wrote :

ping @fawadkhaliq. Hi fawad, Do you have a time line for this fix? Thanks.

Revision history for this message
Fawad Khaliq (fawadkhaliq) wrote :

hi Mohammad, I am on vacation this week. Will push a working patch sometime next week as soon as I get back. Thanks!

Revision history for this message
Fawad Khaliq (fawadkhaliq) wrote :

Do we need to keep the v2.0 (deprecated) support in as well?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kuryr (master)

Fix proposed to branch: master
Review: https://review.openstack.org/346507

Revision history for this message
Mohammad Banikazemi (mb-s) wrote :

I think it's best to keep v2 as it is already in our code. We can drop it when it's marked as obsolete.

Revision history for this message
Antoni Segura Puimedon (celebdor) wrote :

We will fix this in following the example set by Nova and Neutron:

    https://github.com/openstack/neutron/blob/master/neutron/common/config.py#L22
    https://github.com/openstack/nova/blob/master/nova/conf/neutron.py#L19

And the keystoneauth migration guide:

    http://docs.openstack.org/developer/keystoneauth/migrating.html

This way we will transparently support both keystone v2 and v3.

Changed in kuryr:
assignee: Fawad Khaliq (fawadkhaliq) → Antoni Segura Puimedon (celebdor)
importance: High → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kuryr (master)

Reviewed: https://review.openstack.org/316320
Committed: https://git.openstack.org/cgit/openstack/kuryr/commit/?id=632fda4c323a4d5d43134063ff0512f057d128de
Submitter: Jenkins
Branch: master

commit 632fda4c323a4d5d43134063ff0512f057d128de
Author: Antoni Segura Puimedon <email address hidden>
Date: Mon Sep 5 15:22:04 2016 +0200

    auth: use keystoneauth1 for neutron access

    This patch moves, as was discussed in the weekly IRC meeting,
    [keystone] and [neutron] options, that were just for talking to
    Neutron, inside [neutron].

    The new organization is consistent with how Nova talks to Neutron
    and how Neutron notifies nova. In doing so, we also reduce our codebase
    since we can leverage the nice things offered by keystoneauth1.

    Closes-bug: #1563011
    Change-Id: Ia56b22963f5a2130a722403a14ee1a233ac6cff9
    Signed-off-by: Antoni Segura Puimedon <email address hidden>

Changed in kuryr:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kuryr (master)

Change abandoned by Antoni Segura Puimedon (<email address hidden>) on branch: master
Review: https://review.openstack.org/346507
Reason: Was merged in a slightly different approach (that was helped by this patch).

hongbin (hongbin034)
Changed in fuxi:
assignee: nobody → hongbin (hongbin034)
OpenStack Infra (hudson-openstack)
Changed in fuxi:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuxi (master)

Reviewed: https://review.openstack.org/410403
Committed: https://git.openstack.org/cgit/openstack/fuxi/commit/?id=af24f14be5581bbaa4cd737330bb2cbcc49a9908
Submitter: Jenkins
Branch: master

commit af24f14be5581bbaa4cd737330bb2cbcc49a9908
Author: Hongbin Lu <email address hidden>
Date: Sun Dec 25 12:19:37 2016 -0600

    Use keystoneauth1 for cinder access

    The goal is to add support for keystone v3, while still maintain
    backward-compatibility. In particular, it did the following:
    * Use keystoneauth1 for keystone authentication
    * Deprecate the usage of keystoneclient.auth, which is the legacy
      way of doing authentication. It seems to support keystone v2
      only, which cause the problem.
    * Introduce new auth session in config file.
    * Deprecate old auth session in config file.

    Closes-Bug: #1563011
    Change-Id: Ia80b4377eda6314ad8e6287cb65eb2842f972b8b

Changed in fuxi:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuxi (master)

Fix proposed to branch: master
Review: https://review.openstack.org/419224

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuxi (master)

Reviewed: https://review.openstack.org/419224
Committed: https://git.openstack.org/cgit/openstack/fuxi/commit/?id=2e4d581f0fe6c08f7d604ffd8020e3760d1dabd0
Submitter: Jenkins
Branch: master

commit 2e4d581f0fe6c08f7d604ffd8020e3760d1dabd0
Author: drngsl <email address hidden>
Date: Wed Jan 11 20:02:19 2017 -0500

    Provide Keystone session for Nova with its own group

    For group keystone(Keystone V2) will be deprecated,
    I think it should not get keystone session from group Cinder,
    so this patch add Nova conf group and get keystone session
    with nova group.

    Change-Id: I4a7c0f32aa0798d263f80093f64761ea4e2e8ef5
    Closes-Bug: #1563011

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.