Mirantis OpenStack

Admin user has no role in Keystone Default domain

  1. Series 10.0.x
  2. Bug #1584143
Bug #1584143 reported by Paul Karikh
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Status tracked in 10.0.x
10.0.x
Fix Committed
High
Max Yatsenko
Mirantis OpenStack 10.0
9.x
Fix Released
High
Max Yatsenko
Mirantis OpenStack 9.0

Bug Description

In MOS 9.0 admin user has no roles in Default domain. Thus Keystone responds 401 on requests from admin user to list domains.

When user tries to login into Horozion with enabled multidomain support, Horizon writes into log the following error:
2016-05-24 10:26:51,368 28035 DEBUG openstack_auth.backend Error getting domain scoped token.
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/openstack_auth/backend.py", line 144, in authenticate
    domain_auth_ref = domain_auth.get_access(session)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 572, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 467, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-5199d8be-3e40-4997-8df0-321e868526b5)

And Domains panel is missin in horizon.

If I go to controller and run `role list` command, I'll get empty list.

root@node-1:~# openstack role list --domain Default --user admin

But after I add role to admin into Default domain like this:

root@node-1:~# openstack role add --domain Default --user admin admin
root@node-1:~# openstack role list --domain Default --user admin
+----------------------------------+-------+---------+-------+
| ID | Name | Domain | User |
+----------------------------------+-------+---------+-------+
| 175fbc08b8c44836a779f595f2ff176d | admin | Default | admin |
+----------------------------------+-------+---------+-------+

Domains panel appears in Horizon and error dissapears from the Horizon logs.

According to Alexander Makarov it is not correct behaviour and looks like misconfiguration.

ISO #390.

See original description
Tags: need-info
Paul Karikh (pkarikh)
description: updated
description: updated
Revision history for this message
Bug Checker Bot (bug-checker) wrote : Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
Revision history for this message
Alexander Makarov (amakarov) wrote :

I think these are 2 different bugs: role in domain and endpoints.

Revision history for this message
Paul Karikh (pkarikh) wrote :

Setting it as ivalid since it was reproduced on very old 305 build and related Horizon bug is not reproduced in actual 372 build.

Changed in mos:
status: New → Invalid
Paul Karikh (pkarikh)
description: updated
description: updated
Revision history for this message
Paul Karikh (pkarikh) wrote :

Still reproducible on ISO #390.

Changed in mos:
status: Invalid → New
Revision history for this message
Alexander Tivelkov (ativelkov) wrote :

Seems like this may be affecting murano and may be the reason for bug https://bugs.launchpad.net/mos/+bug/1580574

Paul Karikh (pkarikh)
Changed in mos:
assignee: nobody → Max Yatsenko (myatsenko)
importance: Undecided → High
Revision history for this message
Max Yatsenko (myatsenko) wrote :

@Alexander Makarov
@Boris Bobrov

after deployment (MOS9.0) when we have enabled "domain_specific_drivers_enabled" param in keystone (for exmaple when ldap_plugin is installed)
we have the following roles:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list
+----------------------------------+-----------------+
| ID | Name |
 +----------------------------------+-----------------+
| 12cfa271d7914014bc237d5d7dbc6d9b | admin |
| 188829730a474a6fad6e347cac139d50 | heat_stack_user |
| 1bced52d54d24d87a3b29de93345d36a | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | ​_member_​ |
 +----------------------------------+-----------------+

we get the same roles when we run "role list" for "Default" domain:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default
+----------------------------------+-----------------+
| ID | Name |
 +----------------------------------+-----------------+
| 12cfa271d7914014bc237d5d7dbc6d9b | admin |
| 188829730a474a6fad6e347cac139d50 | heat_stack_user |
| 1bced52d54d24d87a3b29de93345d36a | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | ​_member_​ |
 +----------------------------------+-----------------+

if we want to get roles for "admin" user - we get empty output:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default --user admin

after we add "admin" role for "admin" user:
root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role add --domain Default --user admin admin

this command: root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default --user admin

can output somethin like this:

+----------------------------------+-------+---------+-------+
| ID | Name | Domain | User |
 +----------------------------------+-------+---------+-------+
| 265a0072848247dfa9e0d10fee1de797 | admin | Default | admin |
 +----------------------------------+-------+---------+-------+

and after that we can see "Domains" in Horizon (after apache reboot)

but in MOS8.0 (we don't have such bug) when I run:
# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.6:5000/v3' openstack role list --domain Default --user admin

I get this message:
"Could not find resource admin"

but my expaction was that I should get a message somethin like that:

+----------------------------------+-------+---------+-------+
| ID | Name | Domain | User |
 +----------------------------------+-------+---------+-------+
| 265a0072848247dfa9e0d10fee1de797 | admin | Default | admin |
 +----------------------------------+-------+---------+-------+

and I have a question: if we don't have a such bug in MOS8.0 - why for "admin" user we don't have any output for the command:
 openstack role list --domain Default --user admin

and how keystone should be configured for MOS9.0?

Revision history for this message
Alexander Makarov (amakarov) wrote :

Is the bug still valid?

Revision history for this message
Alexander Makarov (amakarov) wrote :

We need and assignment:
user: admin
role: admin
domain: default

Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

https://review.openstack.org/#/c/324643/

Revision history for this message
Dina Belova (dbelova) wrote :

Cherry-pick to stable/mitaka https://review.openstack.org/#/c/324722/2

Revision history for this message
Dina Belova (dbelova) wrote :

Fixes ^^ were successfully merged to both master and mitaka branches

Kyrylo Romanenko (kromanenko)
tags: added: on-verification
Revision history for this message
Kyrylo Romanenko (kromanenko) wrote :

Verified on
cat /etc/fuel_build_id:
 465
cat /etc/fuel_build_number:
 465
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 mitaka-9.0
rpm -qa | egrep 'fuel|astute|network-checker|nailgun|packetary|shotgun':
 fuel-release-9.0.0-1.mos6349.noarch
 fuel-misc-9.0.0-1.mos8454.noarch
 python-packetary-9.0.0-1.mos140.noarch
 fuel-bootstrap-cli-9.0.0-1.mos285.noarch
 fuel-migrate-9.0.0-1.mos8454.noarch
 rubygem-astute-9.0.0-1.mos750.noarch
 fuel-mirror-9.0.0-1.mos140.noarch
 shotgun-9.0.0-1.mos90.noarch
 fuel-openstack-metadata-9.0.0-1.mos8742.noarch
 fuel-notify-9.0.0-1.mos8454.noarch
 nailgun-mcagents-9.0.0-1.mos750.noarch
 python-fuelclient-9.0.0-1.mos325.noarch
 fuel-9.0.0-1.mos6349.noarch
 fuel-utils-9.0.0-1.mos8454.noarch
 fuel-setup-9.0.0-1.mos6349.noarch
 fuel-provisioning-scripts-9.0.0-1.mos8742.noarch
 fuel-library9.0-9.0.0-1.mos8454.noarch
 network-checker-9.0.0-1.mos74.x86_64
 fuel-agent-9.0.0-1.mos285.noarch
 fuel-ui-9.0.0-1.mos2717.noarch
 fuel-ostf-9.0.0-1.mos935.noarch
 fuelmenu-9.0.0-1.mos274.noarch
 fuel-nailgun-9.0.0-1.mos8742.noarch

tags: removed: on-verification
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.