OpenStack + Chef

[openstackclient] Existing user validation from different domain fails

Bug #1871144 reported by Henrique Santos on 2020-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	Undecided	Henrique Santos

Bug Description

The "create" action from the "openstack_user" resource defined in the "openstackclient" cookbook does not perform correct validation if the indicated user is from a domain other than "default".

From "cookbook-openstackclient/libraries/openstack_user.rb":
"
    action :create do
      user = new_resource.connection.users.find { |u| u.name == new_resource.user_name }
      project = new_resource.connection.projects.find { |p| p.name == new_resource.project_name }
      domain = new_resource.connection.domains.find { |u| u.name == new_resource.domain_name }
      if user
        log "User with name: \"#{new_resource.user_name}\" already exists"
"

I believe that the line "user = new_resource.connection.users.find { |u| u.name == new_resource.user_name }" does not find users from all domains, only users from the "default" domain or the domain related to the credentials used.
Therefore when the validation for the existence of the user is done, it always reports the user does not exist if the domain of the user is different.

Example:

The "openstack-orchestration::identity_registration" recipe creates users for the orchestration service using the "openstack_user" resource, so it creates the "heat_domain_admin" user in the "heat" domain, as shown below, and does it correctly.

# Create heat_domain_admin in domain heat
openstack_user stack_domain_admin do
  domain_name heat_domain_name
  password stack_domain_admin_password
  connection_params connection_params
end

However when running this recipe for the second time, it fails because of this resource with the following error:
"
FATAL: Excon::Error::Conflict: openstack_user[heat_domain_admin] (openstack-orchestration::identity_registration line 168) had an error: Excon::Error::Conflict: Expected([201]) <=> Actual(409 Conflict)
       excon.error.response
         :body => "{\"error\": {\"message\": \"Conflict occurred attempting to store user - Duplicate entry found with name heat_domain_admin at domain ID 3164c1efabb64720a974db32618421d7.\", \"code\": 409, \"title\": \"Conflict\"}}"
         :cookies => [
         ]
         :headers => {
           "Content-Length" => "201"
           "Content-Type" => "application/json"
           "Date" => "Tue, 24 Mar 2020 17:34:46 GMT"
           "Server" => "Apache"
           "Vary" => "X-Auth-Token"
           "x-openstack-request-id" => "req-3f0eeef5-bdc9-4f36-8f69-1d4ca8459530"
         }
         :host => "127.0.0.1"
         :local_address => "127.0.0.1"
         :local_port => 48006
         :path => "/v3/users"
         :port => 5000
         :reason_phrase => "Conflict"
         :remote_ip => "127.0.0.1"
         :status => 409
         :status_line => "HTTP/1.1 409 Conflict\r\n"
"

It indicates that the "openstack_user" resource tried to create the user even though it already exists. However this resource should detect the existence of the user and report the user already exists, just like it happens with other users created in the "default" domain in this recipe:
"
* openstack_user[heat] action create
* log[User with name: "heat" already exists] action write
"

Tags:

Revision history for this message

Henrique Santos (hsantos25) wrote on 2020-04-07:

After reviewing the code in "cookbook-openstackclient/libraries/openstack_user.rb", I believe the user validation is not done correctly in the other actions, i.e ":delete", ":grant_role", ":revoke_role", etc.

Revision history for this message

Henrique Santos (hsantos25) wrote on 2020-04-08:

I have discovered that this behavior happens with the following setting on the keystone.conf:
"
[identity]
domain_specific_drivers_enabled = True
"
User listing is affected with this setting, as noted here https://docs.openstack.org/keystone/latest/admin/configuration.html :
"
It is important to notice that by enabling either of the domain-specific configuration methods, the operations of listing all users and listing all groups are not supported, those calls will need either a domain filter to be specified or usage of a domain scoped token.
"
Therefore when performing a user listing, the Keystone API will not return all users or groups from all domains.
This explains why "user = new_resource.connection.users.find { |u| u.name == new_resource.user_name }" doesn't return the user from a different domain in my scenario.

Nevertheless, as noted here https://docs.openstack.org/keystone/latest/getting-started/architecture.html , the names of projects, users and groups are only unique to the domain they belong to, so any user or project search by its name has to be done with the domain they belong to.
This does not happen in all resources in "cookbook-openstackclient/libraries/openstack_user.rb" at least.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-14: Fix proposed to cookbook-openstackclient (master)

Fix proposed to branch: master
Review: https://review.opendev.org/720003

Changed in openstack-chef:
assignee:	nobody → Henrique Santos (hsantos25)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-23: Fix merged to cookbook-openstackclient (master)

Reviewed: https://review.opendev.org/720003
Committed: https://git.openstack.org/cgit/openstack/cookbook-openstackclient/commit/?id=3ae01161cd39530361f1a482ebceb5098fb342bc
Submitter: Zuul
Branch: master

commit 3ae01161cd39530361f1a482ebceb5098fb342bc
Author: Henrique Santos <email address hidden>
Date: Tue Apr 14 16:02:48 2020 +0100

Fixes user and project search by name in openstack_user resource

    As project and user names are only unique for each domain and some
    Keystone settings may filter user listing, any user or project search by
    name needs to include the associated domain.

    This change fixes any search done by name of a project or user in the
    openstack_user resource. It is
    assumed that if no domain is specified and there are multiple elements
    with the same name, the first search result is
    chosen.

Closes-Bug: #1871144

Change-Id: I0ed3ffabab5f8b0959c3b2c50a3619f378e59c9e
Signed-off-by: Henrique Santos <email address hidden>

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-23: Fix proposed to cookbook-openstackclient (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/730475

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-23: Fix merged to cookbook-openstackclient (stable/stein)

Reviewed: https://review.opendev.org/730475
Committed: https://git.openstack.org/cgit/openstack/cookbook-openstackclient/commit/?id=3085252eab26a937f3c583013084dbfda002d98d
Submitter: Zuul
Branch: stable/stein

commit 3085252eab26a937f3c583013084dbfda002d98d
Author: Henrique Santos <email address hidden>
Date: Tue Apr 14 16:02:48 2020 +0100

Fixes user and project search by name in openstack_user resource

    As project and user names are only unique for each domain and some
    Keystone settings may filter user listing, any user or project search by
    name needs to include the associated domain.

Closes-Bug: #1871144

Change-Id: I0ed3ffabab5f8b0959c3b2c50a3619f378e59c9e
Signed-off-by: Henrique Santos <email address hidden>

tags:

added: in-stable-stein

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-25: Fix proposed to cookbook-openstackclient (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/730579

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-05-25: Fix proposed to cookbook-openstackclient (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/730601

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-09: Fix merged to cookbook-openstackclient (stable/rocky)

Reviewed: https://review.opendev.org/730601
Committed: https://git.openstack.org/cgit/openstack/cookbook-openstackclient/commit/?id=6fd801ac2af464c7e074ba2a367733904b7c62cf
Submitter: Zuul
Branch: stable/rocky

commit 6fd801ac2af464c7e074ba2a367733904b7c62cf
Author: Henrique Santos <email address hidden>
Date: Tue Apr 14 16:02:48 2020 +0100

Fixes user and project search by name in openstack_user resource

    As project and user names are only unique for each domain and some
    Keystone settings may filter user listing, any user or project search by
    name needs to include the associated domain.

Closes-Bug: #1871144

    Change-Id: I0ed3ffabab5f8b0959c3b2c50a3619f378e59c9e
    Signed-off-by: Henrique Santos <email address hidden>
    (cherry picked from commit 3085252eab26a937f3c583013084dbfda002d98d)

tags:	added: in-stable-rocky
tags:	added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-06-09: Fix merged to cookbook-openstackclient (stable/queens)

#10

Reviewed: https://review.opendev.org/730579
Committed: https://git.openstack.org/cgit/openstack/cookbook-openstackclient/commit/?id=bd26a63da98d62eee898fa4e4005293fd89e133a
Submitter: Zuul
Branch: stable/queens

commit bd26a63da98d62eee898fa4e4005293fd89e133a
Author: Henrique Santos <email address hidden>
Date: Tue Apr 14 16:02:48 2020 +0100

Fixes user and project search by name in openstack_user resource

    As project and user names are only unique for each domain and some
    Keystone settings may filter user listing, any user or project search by
    name needs to include the associated domain.

Closes-Bug: #1871144

Change-Id: I0ed3ffabab5f8b0959c3b2c50a3619f378e59c9e
Signed-off-by: Henrique Santos <email address hidden>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.