OpenStack-Ansible

Keystone ldap only configures domain on one node

Bug #1804827 reported by Marcos
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Jesse Pretorius

Bug Description

When using 3 nodes under the group "identity_hosts", and setting LDAP configuration for keystone, only one of them receives a valid ldap configuration file.

Snippet of openstack_user_config.yml

----
identity_hosts:
  infra1:
    ip: 192.168.0.1
  infra2:
    ip: 192.168.0.2
  infra3:
    ip: 192.168.0.3
----

Snippet of user_variables.yml

----
keystone_ldap:
  my_domain_name:
    url: "ldap://my-domain.org"
    #*other parameters not here for brevity*

horizon_keystone_multidomain_support: True
----

Playbook execution ends successfully, and we can log in the given domain, but we detected that when listing users, some of them were missing.
Random "authentication failed" for users under the LDAP domain were also failing, and we suspected that this was due to a misconfiguration in one of the 3 keystone APIs.

Apparently, only 1 of the 3 keystone APIS has a domain configured for the LDAP domain, so when authentications for the given LDAP domain reached any of the keystone API containers that did not have this domain applied, they were throwing errors.

The solution was to copy the /etc/keystone/domains/my_domain_name.amtega.conf from the lxc container
on infra1, to the lxc containers on infra2 and infra3.

This was tested with branch *stable/queens*, on a 3 node configuration with HA for the identity service, using LXC containers on all components.

Revision history for this message
Mohammed Naser (mnaser) wrote :

This is a regression introduced by this commit

https://github.com/openstack/openstack-ansible-os_keystone/commit/096ed19665dad45fe9b1c1790ba599d90ccf233c

Jesse: I assigned this to you, if you have time to dig in, if not feel free to un-assign. We probably just need to move then "when:" to inside the include rather than the entire include.

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Jesse Pretorius (jesse-pretorius)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/620574

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (master)

Reviewed: https://review.openstack.org/620574
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580
Submitter: Zuul
Branch: master

commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/624430

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/624433

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/624434

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_keystone (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/624436

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (stable/rocky)

Reviewed: https://review.openstack.org/624430
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=fc3d2fe4b6df67bd28f94097c81f71bb78518340
Submitter: Zuul
Branch: stable/rocky

commit fc3d2fe4b6df67bd28f94097c81f71bb78518340
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (stable/queens)

Reviewed: https://review.openstack.org/624433
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=5bd05fc238662b07cd78f18f9d9f8e50062b45d1
Submitter: Zuul
Branch: stable/queens

commit 5bd05fc238662b07cd78f18f9d9f8e50062b45d1
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (stable/ocata)

Reviewed: https://review.openstack.org/624436
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=bdce0d432f41ac643474a3162cc70392753cbd70
Submitter: Zuul
Branch: stable/ocata

commit bdce0d432f41ac643474a3162cc70392753cbd70
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_keystone (stable/pike)

Reviewed: https://review.openstack.org/624434
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=fc9df14b01908b5b8b038f6fbc9edb52c4765ddc
Submitter: Zuul
Branch: stable/pike

commit fc9df14b01908b5b8b038f6fbc9edb52c4765ddc
Author: Jesse Pretorius <email address hidden>
Date: Wed Nov 28 11:43:14 2018 +0000

    Ensure that LDAP config is deployed on all keystone hosts

    In I66ed21cdcf42d0c2012062c8cf74305fecbec312 the condition meant
    for the setup of the domain was mistakenly applied to all tasks
    including laying down the template.

    This patch moves the conditional which ensures the domain is setup
    on the first host to the task in question to ensure that everything
    is good and well with the world again.

    Change-Id: Icb7c2556306d459534e6791f16c7013d0e9fcaf5
    Closes-Bug: #1804827
    (cherry picked from commit 3a6a55b8d03c1668c2edee7ff5b054cbe6a9c580)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone ocata-em

This issue was fixed in the openstack/openstack-ansible-os_keystone ocata-em release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone 16.0.29

This issue was fixed in the openstack/openstack-ansible-os_keystone 16.0.29 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone queens-eol

This issue was fixed in the openstack/openstack-ansible-os_keystone queens-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone rocky-eol

This issue was fixed in the openstack/openstack-ansible-os_keystone rocky-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone stein-eol

This issue was fixed in the openstack/openstack-ansible-os_keystone stein-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone train-eol

This issue was fixed in the openstack/openstack-ansible-os_keystone train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone ussuri-eol

This issue was fixed in the openstack/openstack-ansible-os_keystone ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone yoga-eom

This issue was fixed in the openstack/openstack-ansible-os_keystone yoga-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone victoria-eom

This issue was fixed in the openstack/openstack-ansible-os_keystone victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone wallaby-eom

This issue was fixed in the openstack/openstack-ansible-os_keystone wallaby-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_keystone xena-eom

This issue was fixed in the openstack/openstack-ansible-os_keystone xena-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.