os_ironic uses wrong keystone_authtoken config keys

Bug #1632436 reported by Charles Farquhar on 2016-10-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Charles Farquhar

Bug Description

The ironic.conf template uses the following incorrect configuration keys in the [keystone_authoken] section [1] [2] [3]:

- project_domain_id is not a valid config key [4] [5]
- user_domain_id is not a valid config key [4] [5]
- project_name should be admin_tenant_name [4] [5]
- username should be admin_user [4] [5]
- password should be admin_password [4] [5]

[1] (master)
https://github.com/openstack/openstack-ansible-os_ironic/blob/ae36c7d/templates/ironic.conf.j2#L82-L86

[2] (stable/newton)
https://github.com/openstack/openstack-ansible-os_ironic/blob/ae36c7d/templates/ironic.conf.j2#L82-L86

[3] (stable/mitaka)
https://github.com/openstack/openstack-ansible-os_ironic/blob/03443e4/templates/ironic.conf.j2#L82-L86

[4] (mitaka config reference)
http://docs.openstack.org/mitaka/config-reference/bare-metal.html

[5] (newton config reference)
http://docs.openstack.org/newton/config-reference/bare-metal.html
http://docs.openstack.org/newton/config-reference/common-configurations/auth.html

Fix proposed to branch: master
Review: https://review.openstack.org/385125

Changed in openstack-ansible:
assignee: nobody → Charles Farquhar (cfarquhar)
status: New → In Progress

For Mitaka, those settings appear to be right if I'm reading this correctly:

https://github.com/openstack/ironic/blob/stable/mitaka/ironic/common/keystone.py#L51-L79

However the settings already there may work as I think those are implemented in the keystoneclient which is what Ironic is using there.

But from Newton onwards Ironic is using the keystoneauth1 library which uses the settings that are already in place:

https://github.com/openstack/ironic/blob/stable/newton/ironic/conf/auth.py#L17

Change abandoned by Charles Farquhar (<email address hidden>) on branch: master
Review: https://review.openstack.org/385125

Charles Farquhar (cfarquhar) wrote :

Thanks Jesse. I have a Mitaka environment where ironic-conductor was failing to auth to keystone because the password not being sent. The proposed changes fixed the problem but from the gerrit comments it sounds like this might not be the best approach. I'll do some more digging to see if I can find something better.

Change abandoned by Charles Farquhar (<email address hidden>) on branch: master
Review: https://review.openstack.org/385508
Reason: This was intended to be opened against stable/mitaka. Hopefully I got it right in review 385523.

Charles Farquhar (cfarquhar) wrote :

This has turned out to be a bit more complex that I originally thought.

- ironic-conductor works when configuring [keystone_authtoken] with admin_tenant_name, admin_user, and admin_password [1]. It can't auth [2] when configuring with project_name, username, and password.

- ironic-api works when configuring [keystone_authtoken] with project_name, username, and password [3]. It can't auth [4] when configuring with admin_tenant_name, admin_user, and admin_password.

Environment:
- stable/mitaka with ironic commit 5a5b3dcafa (HEAD of stable/mitaka as of Sept 29)
- ironic-api is running as a WSGI app behind apache

[1] working config for ironic-conductor (breaks ironic-api)
[keystone_authtoken]
insecure = False
auth_type = password
signing_dir = /var/lib/ironic/cache/api
auth_url = http://10.xx.xx.45:35357
auth_uri = http://10.xx.xx.45:5000
admin_tenant_name = service
admin_user = ironic
admin_password = secret

[2] ironic-conductor error when using project_name, username, and password config keys
2016-10-13 12:01:23.852 7645 ERROR ironic.conductor.manager [req-3a280936-5697-43b9-9b14-821f46ebf195 - - - - -] Error while preparing to deploy to node f4617648-48b4-452d-bad4-5b281de67137: Could not authorize in Keystone: A user and password or token is required.

[3] working config for ironic-api (breaks ironic-conductor)
[keystone_authtoken]
insecure = False
auth_type = password
signing_dir = /var/lib/ironic/cache/api
auth_url = http://10.xx.xx.45:35357
auth_uri = http://10.xx.xx.45:5000
project_name = service
username = ironic
password = secret

[4] ironic-api error when using admin_{tenant_name,user,password} config keys
[Wed Oct 12 15:14:21.442754 2016] [:error] [pid 3176:tid 140102114649856] 2016-10-12 15:14:21.442 3176 CRITICAL keystonemiddleware.auth_token [-] Unable to validate token: Failed to fetch token data from identity server
[Wed Oct 12 15:14:29.483687 2016] [:error] [pid 3176:tid 140102114649856] 2016-10-12 15:14:29.483 3176 ERROR keystonemiddleware.auth_token [-] Bad response code while validating token: 400
[Wed Oct 12 15:14:29.484064 2016] [:error] [pid 3176:tid 140102114649856] 2016-10-12 15:14:29.483 3176 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "Expecting to find username or userId in passwordCredentials - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.", "code": 400, "title": "Bad Request"}}

So we test admin_tenant_name, admin_user, and admin_password in mitaka ironic CI. This works fine with Keystone v2.

We didn't fully support v3 in newton, and I think that's what you're running into here. Try with v2 and see what happens?

Charles Farquhar (cfarquhar) wrote :

Keystone libs are consistent across the environment:

root@infra01-a-ironic-conductor-container-1706e050:~# pip freeze | grep keystone
keystoneauth1==2.4.1
python-keystoneclient==2.3.1

root@infra01-a-ironic-conductor-container-1706e050:~# . /openstack/venvs/ironic-13.3.5/bin/activate
(ironic-13.3.5) root@infra01-a-ironic-conductor-container-1706e050:~# pip freeze | grep keystone
keystoneauth1==2.4.1
keystonemiddleware==4.4.1
python-keystoneclient==2.3.1

root@infra01-a:~# lxc-attach -n infra01-a_ironic_api_container-842e82d5
root@infra01-a-ironic-api-container-842e82d5:~# . /openstack/venvs/ironic-13.3.5/bin/activate
(ironic-13.3.5) root@infra01-a-ironic-api-container-842e82d5:~# pip freeze | grep keystone
keystoneauth1==2.4.1
keystonemiddleware==4.4.1
python-keystoneclient==2.3.1

Change abandoned by Charles Farquhar (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/385523
Reason: https://review.openstack.org/#/c/386234/

Changed in openstack-ansible:
importance: Undecided → Medium
tags: added: newton-rc-potential

Reviewed: https://review.openstack.org/386234
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_ironic/commit/?id=d347cb134a6701381a38d4643511db7cc78fee0e
Submitter: Jenkins
Branch: stable/mitaka

commit d347cb134a6701381a38d4643511db7cc78fee0e
Author: Charles Farquhar <email address hidden>
Date: Thu Oct 13 15:48:58 2016 -0500

    Configure ironic to use keystone v2

    This change configures ironic to use keystone v2 because v3 support
    was not fully implemented in mitaka.

    Change-Id: I12797c838602b08f5862cf51a99cc0a2f1b72dfd
    Closes-Bug: 1632436

tags: added: in-stable-mitaka

This issue was fixed in the openstack/openstack-ansible-os_ironic 13.3.6 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers