puppet-keystone

Creating Keystone users with a password in the puppet module (Kilo&Liberty) throws error at second puppetrun

Bug #1477093 reported by Robert van Leeuwen on 2015-07-22

This bug affects 4 people

Affects

Status

Importance

Assigned to

Milestone

puppet-keystone

New

High

Unassigned

You need to log in to change this bug's status.

Affecting:	puppet-keystone
Filed here by:	Robert van Leeuwen
When:	2015-07-22

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	High

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

I am using the Kilo puppet recipes to setup Kilo on Ubuntu 14.04 to test the latest Puppet recipes with Vagrant.
I am creating an keystone admin user from within the puppet recipe.
Creating the keystone user works fine but the second puppetrun gives an error if the password is set for the user you want to create.
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: ERROR: openstack The resource could not be found.

* When you do not pass the password in the keystone_user native type it does not throw an error.
* The first run will create the user successfully and set the password
* After sourcing the credentials file and running manually "/usr/bin/openstack token issue --format value” also does not give an error.
( I could not immediately find where puppet decides this command is run and with which credentials. )

Example puppet keystone user config which breaks after the second run:
  keystone_user { 'admin':
    password => $::openstack::config::keystone_admin_password, #Removing this line fixes the issue
    email => 'admin@openstack',
    ensure => present,
    enabled => True,
}

I did not experience these issues with the Juno recipe

Add tags Tag help

Piotr Kasprzak (piotr-kasprzak) wrote on 2015-08-07:

Same problem / workaround here.

I can also confirm that the problem did not occur with the master branch from one month ago (i.e. before the keystone v3 stuff was merged).

I have captured all the http communication between the puppet module and and keystone here:
https://gist.github.com/pkasprzak/933cbe9d87eeb87164fa

'e68fd27a4c7a46f18b4b7555ecce6fb4' is the id of the admin user for whom the problem occurs:

Of course I can provide further information if requested.

Thanks!

Matt Fischer (mfisch) wrote on 2015-08-27:

Also occurs on stable/kilo branch.

Changed in puppet-keystone:
importance:	Undecided → High

Matt Fischer (mfisch) wrote on 2015-09-02:

I've found this happens if you run puppet after sourcing an admin openrc.

Matt Fischer (mfisch) wrote on 2015-09-02:

More details.

I can repro this by simply setting OS_AUTH_URL=http://IP:5000/v2.0 but NOT when setting OS_AUTH_URL=http://IP:5000/v3.

Alex Schultz (alex-schultz) wrote on 2015-09-02:

So this appears to be an issue of v2 vs v3 and the puppet provider for the password parameter of keystone_user[0]. We've discovered that if your openrc contains a v2 url, you have sourced it and you attempt to run puppet it will result in this error. I believe the priority of the credentials is ENVIRONMENT > PUPPET so it may attempt to use a domain scoped token against the v2 endpoint resulting in error. We may need to check the auth url version and not try domains against a v2 auth url. Also you can also pass in replace_password = false and it'll skip all this logic.

[0] https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone_user/openstack.rb#L94-L133

Matt Fischer (mfisch) on 2016-01-25

summary:

- Creating Keystone users with a password in the puppet module (Kilo)
- throws error at second puppetrun
+ Creating Keystone users with a password in the puppet module
+ (Kilo&Liberty) throws error at second puppetrun

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers