module: keystone fails when login_user is not in Default domain

Bug #1574000 reported by Gabor Lekeny on 2016-04-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Undecided
Gabor Lekeny

Bug Description

If user or project domain is not the default ("Default") than authenticating with login_user without adding the proper domains causes the following error:
keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: ...)

Example (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-users.html):
- name: create domain
  keystone:
    command: ensure_domain
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    domain_name: default
    domain_enabled: True
- name: create project
  keystone:
    command: ensure_project
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    project_name: admin
    domain_name: default
    description: "Admin Project"
- name: create user
  keystone:
    command: ensure_user
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    user_name: admin
    password: "{{ keystone_admin_password }}"
    project_name: admin
    domain_name: default
- name: create role
  keystone:
    command: ensure_role
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    role_name: admin
- name: create user_role
  keystone:
    command: ensure_user_role
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    user_name: admin
    project_name: admin
    role_name: admin
- name: check
  keystone:
    command: get_user
    endpoint: "http://{{ management_ip }}:35357/v3"
    login_user: admin
    login_password: "{{ keystone_admin_password }}"
    login_project_name: admin
    user_name: admin

Output:
$ ansible-playbook test.yml

PLAY [keystone] ****************************************************************

TASK [os-keystone : create domain] *********************************************
ok: [controller]

TASK [os-keystone : create project] ********************************************
ok: [controller]

TASK [os-keystone : create user] ***********************************************
ok: [controller]

TASK [os-keystone : create role] ***********************************************
ok: [controller]

TASK [os-keystone : create user_role] ******************************************
ok: [controller]

TASK [os-keystone : check] *****************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-e72b8427-836a-4914-8539-f8baf9460906)
fatal: [controller]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 3317, in <module>\n File \"<stdin>\", line 1329, in main\n File \"<stdin>\", line 471, in command_router\n File \"<stdin>\", line 703, in get_user\n File \"<stdin>\", line 587, in _authenticate\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py\", line 226, in __init__\n self.authenticate()\n File \"/usr/lib/python2.7/dist-packages/positional/__init__.py\", line 94, in inner\n return func(*args, **kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/httpclient.py\", line 584, in authenticate\n resp = self.get_raw_token_from_identity_service(**kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py\", line 301, in get_raw_token_from_identity_service\n return plugin.get_auth_ref(self.session)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/auth/identity/v3/base.py\", line 190, in get_auth_ref\n authenticated=False, log=False, **rkwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/session.py\", line 520, in post\n return self.request(url, 'POST', **kwargs)\n File \"/usr/lib/python2.7/dist-packages/positional/__init__.py\", line 94, in inner\n return func(*args, **kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/session.py\", line 420, in request\n raise exceptions.from_response(resp, method, url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-e72b8427-836a-4914-8539-f8baf9460906)\n", "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false}

NO MORE HOSTS LEFT *************************************************************
        to retry, use: --limit @test.retry

PLAY RECAP *********************************************************************
controller : ok=5 changed=0 unreachable=0 failed=1

Solution: setting user_domain_name and project_domain_name in library/keystone solves the problem.
            self.keystone = client.Client(
                insecure=insecure,
                auth_url=endpoint,
                username=login_user,
                user_domain_name=XXX,
                password=login_password,
                project_name=login_project_name,
                project_domain_name=YYY,
            )

Changed in openstack-ansible:
assignee: nobody → Gabor Lekeny (gabor.lekeny)

Fix proposed to branch: master
Review: https://review.openstack.org/309690

Changed in openstack-ansible:
status: New → In Progress

Reviewed: https://review.openstack.org/309690
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=dce1b35de9076cd1a1a9bcdd812ab876b84a4830
Submitter: Jenkins
Branch: master

commit dce1b35de9076cd1a1a9bcdd812ab876b84a4830
Author: Gabor Lekeny <email address hidden>
Date: Sat Apr 23 15:12:23 2016 +0200

    Add user and project login domains to keystone

    Added login_user_domain_name and login_project_domain_name parameters to
    keystone module.

    Closes-Bug: #1574000

    Change-Id: I29524ac9dad063c266122ecee09563531217974c
    Signed-off-by: Gabor Lekeny <email address hidden>

Changed in openstack-ansible:
status: In Progress → Fix Released

This issue was fixed in the openstack/openstack-ansible-plugins 14.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/356711
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=620c64e3160edb741bf853def67cf7d034396257
Submitter: Jenkins
Branch: stable/mitaka

commit 620c64e3160edb741bf853def67cf7d034396257
Author: Gabor Lekeny <email address hidden>
Date: Sat Apr 23 15:12:23 2016 +0200

    Add user and project login domains to keystone

    Added login_user_domain_name and login_project_domain_name parameters to
    keystone module.

    Closes-Bug: #1574000
    Partial-Bug: #1614211

    Change-Id: I29524ac9dad063c266122ecee09563531217974c
    Signed-off-by: Gabor Lekeny <email address hidden>
    (cherry picked from commit dce1b35de9076cd1a1a9bcdd812ab876b84a4830)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/openstack-ansible-plugins 13.3.3 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers