Keystone ldap only configures domain on one node

Bug #1804827 reported by Marcos on 2018-11-23
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openstack-ansible
High
Jesse Pretorius

Bug Description

When using 3 nodes under the group "identity_hosts", and setting LDAP configuration for keystone, only one of them receives a valid ldap configuration file.

Snippet of openstack_user_config.yml

----
identity_hosts:
  infra1:
    ip: 192.168.0.1
  infra2:
    ip: 192.168.0.2
  infra3:
    ip: 192.168.0.3
----

Snippet of user_variables.yml

----
keystone_ldap:
  my_domain_name:
    url: "ldap://my-domain.org"
    #*other parameters not here for brevity*

horizon_keystone_multidomain_support: True
----

Playbook execution ends successfully, and we can log in the given domain, but we detected that when listing users, some of them were missing.
Random "authentication failed" for users under the LDAP domain were also failing, and we suspected that this was due to a misconfiguration in one of the 3 keystone APIs.

Apparently, only 1 of the 3 keystone APIS has a domain configured for the LDAP domain, so when authentications for the given LDAP domain reached any of the keystone API containers that did not have this domain applied, they were throwing errors.

The solution was to copy the /etc/keystone/domains/my_domain_name.amtega.conf from the lxc container
on infra1, to the lxc containers on infra2 and infra3.

This was tested with branch *stable/queens*, on a 3 node configuration with HA for the identity service, using LXC containers on all components.

Mohammed Naser (mnaser) wrote :

This is a regression introduced by this commit

https://github.com/openstack/openstack-ansible-os_keystone/commit/096ed19665dad45fe9b1c1790ba599d90ccf233c

Jesse: I assigned this to you, if you have time to dig in, if not feel free to un-assign. We probably just need to move then "when:" to inside the include rather than the entire include.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Jesse Pretorius (jesse-pretorius)

Fix proposed to branch: master
Review: https://review.openstack.org/620574

Changed in openstack-ansible:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/620574
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580
Submitter: Zuul
Branch: master

commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827

Changed in openstack-ansible:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/624430
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=fc3d2fe4b6df67bd28f94097c81f71bb78518340
Submitter: Zuul
Branch: stable/rocky

commit fc3d2fe4b6df67bd28f94097c81f71bb78518340
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-rocky

Reviewed: https://review.openstack.org/624433
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=5bd05fc238662b07cd78f18f9d9f8e50062b45d1
Submitter: Zuul
Branch: stable/queens

commit 5bd05fc238662b07cd78f18f9d9f8e50062b45d1
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-queens

Reviewed: https://review.openstack.org/624436
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=bdce0d432f41ac643474a3162cc70392753cbd70
Submitter: Zuul
Branch: stable/ocata

commit bdce0d432f41ac643474a3162cc70392753cbd70
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-ocata

Reviewed: https://review.openstack.org/624434
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=fc9df14b01908b5b8b038f6fbc9edb52c4765ddc
Submitter: Zuul
Branch: stable/pike

commit fc9df14b01908b5b8b038f6fbc9edb52c4765ddc
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-pike

This issue was fixed in the openstack/openstack-ansible-os_keystone ocata-em release.

This issue was fixed in the openstack/openstack-ansible-os_keystone 16.0.29 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers