Murano

Murano devstack is broken with identity-v3-only or tls-proxy enabled

Bug #1658648 reported by Dr. Jens Harbott
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Fix Released
Medium
zhurong

Bug Description

In order to reproduce, deploy devstack with this local.conf:

[[local|localrc]]
enable_plugin murano git://git.openstack.org/openstack/murano
ENABLE_IDENTITY_V2=False

The result is that other services work fine, but murano gives auth errors, both with OSC and the native client:

$ openstack environment list
The request you have made requires authentication. (HTTP 401)
$ murano package-list
The request you have made requires authentication. (HTTP 401)

In the keystone log one can see, that murano still tries to validate the token it receives via the v2.0 identity endpoint, which no longer exists:

10.42.1.102 - - [23/Jan/2017:10:39:33 +0000] "GET /v3 HTTP/1.1" 200 254 "-" "python-keystoneclient" 10600(us)
10.42.1.102 - - [23/Jan/2017:10:39:33 +0000] "POST /v2.0/tokens HTTP/1.1" 404 93 "-" "murano/3.0.0.0rc2.dev367 keystonemiddleware.auth_token/4.14.0 keystoneauth1/2.18.0 python-requests/2.12.5 CPython/2.7.12" 1965(us)
10.42.1.102 - - [23/Jan/2017:10:39:33 +0000] "POST /v2.0/tokens HTTP/1.1" 404 93 "-" "murano/3.0.0.0rc2.dev367 keystonemiddleware.auth_token/4.14.0 keystoneauth1/2.18.0 python-requests/2.12.5 CPython/2.7.12" 2741(us)

This is probably related to the configuration in murano.conf using a very old way of setting up credentials, see this warning from murano-api.log:

2017-01-23 10:03:01.215 2825 WARNING keystonemiddleware.auth_token [-] AuthToken middleware is set with keystone_authtoken.service_token_roles_required set to False. This is backwards compatible but deprecated behaviour. Please set this to True.
2017-01-23 10:03:01.216 2825 WARNING keystonemiddleware.auth_token [-] Use of the auth_admin_prefix, auth_host, auth_port, auth_protocol, identity_uri, admin_token, admin_user, admin_password, and admin_tenant_name configuration options was deprecated in the Mitaka release in favor of an auth_plugin and its related options. This class may be removed in a future release.

A similar issue occurs if "enable_service tls_proxy" is being used in the devstack config.

See original description
Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

If I update the keystone_authtoken in murano.conf to match what I find in nova.conf, the murano api starts working.

I'll try to build a devstack patch that generates that config automatically.

Changed in murano:
assignee: nobody → Dr. Jens Rosenboom (j-rosenboom-j)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/424132

Dr. Jens Harbott (j-harbott)
description: updated
summary: - Murano devstack is broken with identity-v3-only
+ Murano devstack is broken with identity-v3-only or tls-proxy enabled
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on murano (master)

Change abandoned by Jens Rosenboom (<email address hidden>) on branch: master
Review: https://review.openstack.org/424132
Reason: So it looks like Murano actively refuses to work with non-deprecated stuff, pretty sad situation.

Dr. Jens Harbott (j-harbott)
Changed in murano:
assignee: Dr. Jens Rosenboom (j-rosenboom-j) → nobody
status: In Progress → New
Felipe Monteiro (fm577c)
Changed in murano:
importance: Undecided → Medium
zhurong (zhu-rong)
Changed in murano:
assignee: nobody → zhurong (zhu-rong)
OpenStack Infra (hudson-openstack)
Changed in murano:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (master)

Reviewed: https://review.openstack.org/450671
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=75b47bbabd876bca80a9c08e82112f0935bbbf5b
Submitter: Jenkins
Branch: master

commit 75b47bbabd876bca80a9c08e82112f0935bbbf5b
Author: zhurong <email address hidden>
Date: Tue Mar 28 17:19:08 2017 +0800

    Make murano auth with murano_auth section instend of keystone_authtoken

    This patch add a murano_auth for murano auth with keystone,
    This gives ability to fine-tune role-based privileges for
    service-user going to execute trust-delegated tasks and the auth
    configuration properties do not need to change when keystonemiddleware
    deprecates its configuration properties.

    Closes-Bug: #1643583
    Closes-Bug: #1658648
    Change-Id: If10fa8c938c264c7b5cadb3c3ed77f39488dcab7

Changed in murano:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/murano 4.0.0.0b2

This issue was fixed in the openstack/murano 4.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.