Creating Keystone users with a password in the puppet module (Kilo&Liberty) throws error at second puppetrun

Bug #1477093 reported by Robert van Leeuwen on 2015-07-22
This bug affects 4 people
Affects Status Importance Assigned to Milestone

Bug Description

I am using the Kilo puppet recipes to setup Kilo on Ubuntu 14.04 to test the latest Puppet recipes with Vagrant.
I am creating an keystone admin user from within the puppet recipe.
Creating the keystone user works fine but the second puppetrun gives an error if the password is set for the user you want to create.
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: ERROR: openstack The resource could not be found.

* When you do not pass the password in the keystone_user native type it does not throw an error.
* The first run will create the user successfully and set the password
* After sourcing the credentials file and running manually "/usr/bin/openstack token issue --format value” also does not give an error.
( I could not immediately find where puppet decides this command is run and with which credentials. )

Example puppet keystone user config which breaks after the second run:
  keystone_user { 'admin':
    password => $::openstack::config::keystone_admin_password, #Removing this line fixes the issue
    email => 'admin@openstack',
    ensure => present,
    enabled => True,

I did not experience these issues with the Juno recipe

Piotr Kasprzak (piotr-kasprzak) wrote :

Same problem / workaround here.

I can also confirm that the problem did not occur with the master branch from one month ago (i.e. before the keystone v3 stuff was merged).

I have captured all the http communication between the puppet module and and keystone here:

'e68fd27a4c7a46f18b4b7555ecce6fb4' is the id of the admin user for whom the problem occurs:

 root@controller1:~# openstack user show e68fd27a4c7a46f18b4b7555ecce6fb4
| Field | Value |
| domain_id | default |
| email | <email address hidden> |
| enabled | True |
| id | e68fd27a4c7a46f18b4b7555ecce6fb4 |
| name | admin |

Of course I can provide further information if requested.


Matt Fischer (mfisch) wrote :

Also occurs on stable/kilo branch.

Changed in puppet-keystone:
importance: Undecided → High
Matt Fischer (mfisch) wrote :

I've found this happens if you run puppet after sourcing an admin openrc.

Matt Fischer (mfisch) wrote :

More details.

I can repro this by simply setting OS_AUTH_URL=http://IP:5000/v2.0 but NOT when setting OS_AUTH_URL=http://IP:5000/v3.

Alex Schultz (alex-schultz) wrote :

So this appears to be an issue of v2 vs v3 and the puppet provider for the password parameter of keystone_user[0]. We've discovered that if your openrc contains a v2 url, you have sourced it and you attempt to run puppet it will result in this error. I believe the priority of the credentials is ENVIRONMENT > PUPPET so it may attempt to use a domain scoped token against the v2 endpoint resulting in error. We may need to check the auth url version and not try domains against a v2 auth url. Also you can also pass in replace_password = false and it'll skip all this logic.


Matt Fischer (mfisch) on 2016-01-25
summary: - Creating Keystone users with a password in the puppet module (Kilo)
- throws error at second puppetrun
+ Creating Keystone users with a password in the puppet module
+ (Kilo&Liberty) throws error at second puppetrun
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers