Playbooks stop when enabling keystone ldap backend

Bug #1518351 reported by Bjoern
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Kevin Carter
Kilo
Fix Released
Medium
Jesse Pretorius
Liberty
Fix Released
Medium
Jesse Pretorius
Trunk
Fix Released
Medium
Kevin Carter

Bug Description

When enabling LDAP , the playbooks stop due to the read-only nature of the LDAP setup.
Ideally we would skip those tasks assuming the sevice user have been created inside LDAP already

TASK: [os_keystone | Ensure Admin user] ***************************************

Result from run 1 is: {'msg': 'OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id: 2\r\nTraceback (most recent call last):\n File "<stdin>", line 2895, in <module>\n File "<stdin>", line 1284, in main\n File "<stdin>", line 460, in command_router\n File "<stdin>", line 720, in ensure_user\n File "<stdin>", line 660, in _get_user\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner\n return func(*args, **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/users.py", line 108, in list\n **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 73, in func\n return f(*args, **new_kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 361, in list\n self.collection_key)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 113, in _list\n resp, body = self.client.get(url, **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get\n return self.request(url, \'GET\', **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request\n resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request\n return self.session.request(url, method, **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner\n return func(*args, **kwargs)\n File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 397, in request\n raise exceptions.from_response(resp, method, url)\nkeystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-b1e36888-0d67-4614-b4ee-c46d71fc9f0e)\n', 'failed': True, 'attempts': 1, 'parsed': False}

Revision history for this message
Ian Cordasco (icordasc) wrote :

Probably a stupid question: When using LDAP is it always read-only or is it plausible that Keystone might be able to create users (like an Admin user)?

Revision history for this message
Ian Cordasco (icordasc) wrote :

Also, the 401 indicates not that it failed to add the user, but that the playbook failed to authenticate as a user at all. Is there a chance I could hop onto this environment with you Bjoern?

Revision history for this message
Bjoern (bjoern-t) wrote :

No it's a customer environment, unfortunately.
So far all LDAP setups I have seen where read only and provided by Microsoft AD...

Revision history for this message
Bjoern (bjoern-t) wrote :
Changed in openstack-ansible:
status: New → In Progress
Changed in openstack-ansible:
importance: Undecided → Medium
assignee: nobody → Kevin Carter (kevin-carter)
milestone: none → 12.0.2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/248900

Revision history for this message
Bjoern (bjoern-t) wrote :

We still see issues while running heat playbooks

TASK: [os_heat | Assign admin role to heat domain admin user] *****************

failed: [infra02_heat_apis_container-f93fda61] => {"changed": true, "cmd": ". /root/openrc\n openstack --os-identity-api-version=3 --os-auth-url=http://xxxx:35357/v3 --os-project-name=admin --os-project-domain-name=Default --os-user-domain-name=Default role add --user svc_openstk_heat_adm --domain heat admin", "delta": "0:00:02.890124", "end": "2015-12-02 11:26:15.902093", "rc": 1, "start": "2015-12-02 11:26:13.011969", "warnings": []}
stderr: ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-42dc752c-3cd7-4b0c-920f-c5434e5718a1)

This error does only occur when domain_specific_drivers_enabled are enabled inside keystone.
All user list api calls need to be either domain related or the user id needs to be submitted.
The openstack clients does not submit the domain_id for the user list request, that's why we get the 401.
Currently we can only use the user id rather than then name to overcome this issue, for example

. /root/openrc\n openstack --os-identity-api-version=3 --os-auth-url=http://xxxx:35357/v3 --os-project-name=admin --os-project-domain-name=Default --os-user-domain-name=Default role add --user <user id> --domain heat admin

 How about implementing this workaround, currently I talk to the upstream openstack client guys how to fix it there

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/248900
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=2559ed4f13cd242c9f02cd023a7242db56650b0d
Submitter: Jenkins
Branch: master

commit 2559ed4f13cd242c9f02cd023a7242db56650b0d
Author: Kevin Carter <email address hidden>
Date: Mon Nov 23 14:35:16 2015 -0600

    Fixes playbook runtime issues with ldap

    When using an LDAP backend the plabooks fail when "ensuring.*"
    which is a keystone client action. The reason for the failure is
    related to how ldap backend, and is triggered when the service
    users are within the ldap and not SQL. To resolve the issue a boolean
    conditional was created on the various OS_.* roles to skip specific
    tasks when the service users have already been added into LDAP.

    Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Signed-off-by: Kevin Carter <email address hidden>

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/238509
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=f490880abecd5d3e2acf2642024dab7a02c08975
Submitter: Jenkins
Branch: master

commit f490880abecd5d3e2acf2642024dab7a02c08975
Author: Kevin Carter <email address hidden>
Date: Fri Nov 20 11:59:12 2015 -0600

    Keystone domain fix

    The keystone module is not able to function when using Keystone
    and the multi-domain backend. This issue is caused because the
    domain argument is not passed into the client calls. to resolve
    this issue the module has been updated to pass through the domain
    to the various client calls where needed

    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Change-Id: Ie19f1658d770cc421e23ebb59e658624cf668840
    Co-Authored-By: Tiago Gomes <email address hidden>
    Co-Authored-By: Ian Cordasco <email address hidden>
    Signed-off-by: Kevin Carter <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/238515
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=123f243b8ab90ca46fb388a50b9c6a71550cc360
Submitter: Jenkins
Branch: kilo

commit 123f243b8ab90ca46fb388a50b9c6a71550cc360
Author: Kevin Carter <email address hidden>
Date: Fri Nov 20 11:59:12 2015 -0600

    Keystone domain fix

    The keystone module is not able to function when using Keystone
    and the multi-domain backend. This issue is caused because the
    domain argument is not passed into the client calls. to resolve
    this issue the module has been updated to pass through the domain
    to the various client calls where needed

    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Change-Id: Ie19f1658d770cc421e23ebb59e658624cf668840
    Co-Authored-By: Tiago Gomes <email address hidden>
    Co-Authored-By: Ian Cordasco <email address hidden>
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit f490880abecd5d3e2acf2642024dab7a02c08975)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/253658
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=b73c95d80a202cc5df61760bb706ec65a2b44783
Submitter: Jenkins
Branch: kilo

commit b73c95d80a202cc5df61760bb706ec65a2b44783
Author: Kevin Carter <email address hidden>
Date: Mon Nov 23 14:35:16 2015 -0600

    Fixes playbook runtime issues with ldap

    When using an LDAP backend the playbooks fail when "ensuring.*"
    which is a keystone client action. The reason for the failure is
    related to how ldap backend, and is triggered when the service
    users are within the ldap and not SQL. To resolve the issue a boolean
    conditional was created on the various OS_.* roles to skip specific
    tasks when the service users have already been added into LDAP.

    Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 2559ed4f13cd242c9f02cd023a7242db56650b0d)
    Signed-off-by: Kevin Carter <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/255204
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=b6c8ed850c48ec0595374135b486607723f676e4
Submitter: Jenkins
Branch: liberty

commit b6c8ed850c48ec0595374135b486607723f676e4
Author: Kevin Carter <email address hidden>
Date: Mon Nov 23 14:35:16 2015 -0600

    Fixes playbook runtime issues with ldap

    When using an LDAP backend the plabooks fail when "ensuring.*"
    which is a keystone client action. The reason for the failure is
    related to how ldap backend, and is triggered when the service
    users are within the ldap and not SQL. To resolve the issue a boolean
    conditional was created on the various OS_.* roles to skip specific
    tasks when the service users have already been added into LDAP.

    Change-Id: I64a8d1e926c54b821f8bfb561a8b6f755bc1ed93
    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 2559ed4f13cd242c9f02cd023a7242db56650b0d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/256024
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=fb4a381b227a2cb639c37b97bdc97b82f155b8bc
Submitter: Jenkins
Branch: liberty

commit fb4a381b227a2cb639c37b97bdc97b82f155b8bc
Author: Kevin Carter <email address hidden>
Date: Fri Nov 20 11:59:12 2015 -0600

    Keystone domain fix

    The keystone module is not able to function when using Keystone
    and the multi-domain backend. This issue is caused because the
    domain argument is not passed into the client calls. to resolve
    this issue the module has been updated to pass through the domain
    to the various client calls where needed

    Closes-Bug: #1518351
    Closes-Bug: #1519174
    Change-Id: Ie19f1658d770cc421e23ebb59e658624cf668840
    Co-Authored-By: Tiago Gomes <email address hidden>
    Co-Authored-By: Ian Cordasco <email address hidden>
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit f490880abecd5d3e2acf2642024dab7a02c08975)

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.11

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 12.0.8

This issue was fixed in the openstack/openstack-ansible 12.0.8 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.12

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 12.0.9

This issue was fixed in the openstack/openstack-ansible 12.0.9 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 13.0.0

This issue was fixed in the openstack/openstack-ansible 13.0.0 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

This issue was fixed in the openstack/openstack-ansible 13.0.0 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 12.0.11

This issue was fixed in the openstack/openstack-ansible 12.0.11 release.

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote : Fix included in openstack/openstack-ansible 11.2.14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 11.2.15

This issue was fixed in the openstack/openstack-ansible 11.2.15 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.