OpenStack-Ansible

module: keystone fails when login_user is not in Default domain

Bug #1574000 reported by Gabor Lekeny
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Undecided
Gabor Lekeny

Bug Description

If user or project domain is not the default ("Default") than authenticating with login_user without adding the proper domains causes the following error:
keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: ...)

Example (http://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-users.html):
- name: create domain
  keystone:
    command: ensure_domain
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    domain_name: default
    domain_enabled: True
- name: create project
  keystone:
    command: ensure_project
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    project_name: admin
    domain_name: default
    description: "Admin Project"
- name: create user
  keystone:
    command: ensure_user
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    user_name: admin
    password: "{{ keystone_admin_password }}"
    project_name: admin
    domain_name: default
- name: create role
  keystone:
    command: ensure_role
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    role_name: admin
- name: create user_role
  keystone:
    command: ensure_user_role
    endpoint: "http://{{ management_ip }}:35357/v3"
    token: "{{ keystone_admin_token }}"
    user_name: admin
    project_name: admin
    role_name: admin
- name: check
  keystone:
    command: get_user
    endpoint: "http://{{ management_ip }}:35357/v3"
    login_user: admin
    login_password: "{{ keystone_admin_password }}"
    login_project_name: admin
    user_name: admin

Output:
$ ansible-playbook test.yml

PLAY [keystone] ****************************************************************

TASK [os-keystone : create domain] *********************************************
ok: [controller]

TASK [os-keystone : create project] ********************************************
ok: [controller]

TASK [os-keystone : create user] ***********************************************
ok: [controller]

TASK [os-keystone : create role] ***********************************************
ok: [controller]

TASK [os-keystone : create user_role] ******************************************
ok: [controller]

TASK [os-keystone : check] *****************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-e72b8427-836a-4914-8539-f8baf9460906)
fatal: [controller]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 3317, in <module>\n File \"<stdin>\", line 1329, in main\n File \"<stdin>\", line 471, in command_router\n File \"<stdin>\", line 703, in get_user\n File \"<stdin>\", line 587, in _authenticate\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py\", line 226, in __init__\n self.authenticate()\n File \"/usr/lib/python2.7/dist-packages/positional/__init__.py\", line 94, in inner\n return func(*args, **kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/httpclient.py\", line 584, in authenticate\n resp = self.get_raw_token_from_identity_service(**kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/v3/client.py\", line 301, in get_raw_token_from_identity_service\n return plugin.get_auth_ref(self.session)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/auth/identity/v3/base.py\", line 190, in get_auth_ref\n authenticated=False, log=False, **rkwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/session.py\", line 520, in post\n return self.request(url, 'POST', **kwargs)\n File \"/usr/lib/python2.7/dist-packages/positional/__init__.py\", line 94, in inner\n return func(*args, **kwargs)\n File \"/usr/lib/python2.7/dist-packages/keystoneclient/session.py\", line 420, in request\n raise exceptions.from_response(resp, method, url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-e72b8427-836a-4914-8539-f8baf9460906)\n", "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false}

NO MORE HOSTS LEFT *************************************************************
        to retry, use: --limit @test.retry

PLAY RECAP *********************************************************************
controller : ok=5 changed=0 unreachable=0 failed=1

Solution: setting user_domain_name and project_domain_name in library/keystone solves the problem.
            self.keystone = client.Client(
                insecure=insecure,
                auth_url=endpoint,
                username=login_user,
                user_domain_name=XXX,
                password=login_password,
                project_name=login_project_name,
                project_domain_name=YYY,
            )

Gabor Lekeny (gabor.lekeny)
Changed in openstack-ansible:
assignee: nobody → Gabor Lekeny (gabor.lekeny)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-plugins (master)

Fix proposed to branch: master
Review: https://review.openstack.org/309690

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-plugins (master)

Reviewed: https://review.openstack.org/309690
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=dce1b35de9076cd1a1a9bcdd812ab876b84a4830
Submitter: Jenkins
Branch: master

commit dce1b35de9076cd1a1a9bcdd812ab876b84a4830
Author: Gabor Lekeny <email address hidden>
Date: Sat Apr 23 15:12:23 2016 +0200

    Add user and project login domains to keystone

    Added login_user_domain_name and login_project_domain_name parameters to
    keystone module.

    Closes-Bug: #1574000

    Change-Id: I29524ac9dad063c266122ecee09563531217974c
    Signed-off-by: Gabor Lekeny <email address hidden>

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/openstack-ansible-plugins 14.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-plugins 14.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-plugins (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/356711

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-plugins (stable/mitaka)

Reviewed: https://review.openstack.org/356711
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=620c64e3160edb741bf853def67cf7d034396257
Submitter: Jenkins
Branch: stable/mitaka

commit 620c64e3160edb741bf853def67cf7d034396257
Author: Gabor Lekeny <email address hidden>
Date: Sat Apr 23 15:12:23 2016 +0200

    Add user and project login domains to keystone

    Added login_user_domain_name and login_project_domain_name parameters to
    keystone module.

    Closes-Bug: #1574000
    Partial-Bug: #1614211

    Change-Id: I29524ac9dad063c266122ecee09563531217974c
    Signed-off-by: Gabor Lekeny <email address hidden>
    (cherry picked from commit dce1b35de9076cd1a1a9bcdd812ab876b84a4830)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-plugins 13.3.3

This issue was fixed in the openstack/openstack-ansible-plugins 13.3.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.