when domain_specific_drivers_enabled=True keystone_user provider fails

Bug #1485508 reported by Vasyl Saienko
36
This bug affects 8 people
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Undecided
Sofer Athlan-Guyot

Bug Description

when domain_specific_drivers_enabled=True in keystone, --domain <domain_name> option SHOULD be passed to openstack when calling user list

Steps to reproduce:

1) Enable domain_specific_drivers_enabled in keytsone:
2) restart keystone service
3) call: openstack user list

root@node-5:~# OS_IDENTITY_API_VERSION=3 OS_TOKEN=kHEpZfcX OS_URL=http://192.168.0.3:35357/v3/ openstack user list
ERROR: openstack The request you have made requires authentication. (HTTP 401) (Request-ID: req-d10def89-d594-4326-9ef9-3fd2796399b1)

As result keystone_use puppet provider fails:

simple.pp file http://paste.openstack.org/show/418940/

output of puppet apply simple.pp : http://paste.openstack.org/show/418942/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/213906

Changed in puppet-keystone:
assignee: nobody → Vasyl Saienko (vsaienko)
status: New → In Progress
Revision history for this message
Vasyl Saienko (vsaienko) wrote :

I'm using python-openstackclient 1.0.3

Revision history for this message
Emilien Macchi (emilienm) wrote :

So you're enabling domain_specific_drivers_enabled - which allows to run a subset (or all) of domains can have their own identity driver which is not exactly related to multidomains features.

I think, the bug is, when running multidomains, and enabling domain_specific_drivers_enabled, keystone_user provider might be broken. But I think multidomains without enabling domain_specific_drivers_enabled, the provider works.

Can you confirm all of this?

Revision history for this message
Vasyl Saienko (vsaienko) wrote :

you are right, it occurs only when domain_specific_drivers_enabled=True

description: updated
Vasyl Saienko (vsaienko)
tags: added: multidomains
Changed in puppet-keystone:
assignee: Vasyl Saienko (vsaienko) → Richard Megginson (rmeggins)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/226624

Changed in puppet-keystone:
assignee: Richard Megginson (rmeggins) → Gilles Dubreuil (gdubreui)
Changed in puppet-keystone:
assignee: Gilles Dubreuil (gdubreui) → Vasyl Saienko (vsaienko)
Changed in puppet-keystone:
assignee: Vasyl Saienko (vsaienko) → Gilles Dubreuil (gdubreui)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/299301

Changed in puppet-keystone:
assignee: Gilles Dubreuil (gdubreui) → Sofer Athlan-Guyot (sofer-athlan-guyot)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/299301
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=64100bb284dbfb72f4af14eae9665ca042f0239a
Submitter: Jenkins
Branch: master

commit 64100bb284dbfb72f4af14eae9665ca042f0239a
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Depends-On: I5b334e3ffd26df4ba8584d77a5e41b56e73536c8
    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/306075

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/308365

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/liberty)

Reviewed: https://review.openstack.org/308365
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=241f4cf91b3f5b3ac68b74d7e1ac80689123b082
Submitter: Jenkins
Branch: stable/liberty

commit 241f4cf91b3f5b3ac68b74d7e1ac80689123b082
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    When commit was cherry-picked from master 'domain_id_from_name' method
    in lib/puppet/provider/keystone_user/openstack.rb was replaced by
    'fetch_domain' method and call to 'self.class.request_without_retry'
    method was deleted in order to adopt the fix to stable/liberty.
    Also unit tests for 'exists?' method was modified.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29
    (cherry picked from commit 64100bb284dbfb72f4af14eae9665ca042f0239a)

tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/mitaka)

Reviewed: https://review.openstack.org/306075
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=795bb1f60467fcbc56e094bb900a63dd64d8cc5f
Submitter: Jenkins
Branch: stable/mitaka

commit 795bb1f60467fcbc56e094bb900a63dd64d8cc5f
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Depends-On: I5b334e3ffd26df4ba8584d77a5e41b56e73536c8
    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29
    (cherry picked from commit 64100bb284dbfb72f4af14eae9665ca042f0239a)

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 7.1.0

This issue was fixed in the openstack/puppet-keystone 7.1.0 release.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/puppet-keystone 8.1.0

This issue was fixed in the openstack/puppet-keystone 8.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-keystone (master)

Change abandoned by Vasyl Saienko (<email address hidden>) on branch: master
Review: https://review.openstack.org/213906

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 9.0.0

This issue was fixed in the openstack/puppet-keystone 9.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers