puppet-keystone

v3 domains not properly addressed

Bug #1547394 reported by Michal Ptacek on 2016-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	puppet-keystone	Invalid	Undecided	Unassigned

Bug Description

Hi,

when trying to deploy keystone (from examples/v3_basic.pp)

class { '::keystone::roles::admin':
  email => '<email address hidden>',
  password => 'a_big_secret',
  admin => 'admin', # username
  admin_tenant => 'admin', # project name
  admin_user_domain => 'admin', # domain for user
  admin_tenant_domain => 'admin', # domain for project
}

following problems are seen:

'admin_tenant_domain'
Error: Invalid parameter: 'admin_tenant_domain' on Class[Keystone::Roles::Admin]
But when changing to correct 'admin_project_domain' stacking again crashed with

Debug: Executing: '/bin/openstack project show --format shell admin --domain Default'
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@admin]: Could not evaluate: No project admin with domain Default found

From openstack cli commands called it looks that @admin_user_domain or @admin_project_domain is not propagated properly somewhere and script is looking for project still in "Default" domain

Debug: Executing: '/bin/openstack domain list --quiet --format csv'
Debug: Executing: '/bin/openstack domain create --format shell admin --enable'
Debug: Prefetching openstack resources for keystone_tenant
Debug: Executing: '/bin/openstack project list --quiet --format csv --long'
Debug: Executing: '/bin/openstack project create --format shell services --enable --description Tenant for the openstack services --domain Default'
Debug: Executing: '/bin/openstack project create --format shell admin --enable --description admin tenant --domain admin'
Debug: Prefetching openstack resources for keystone_role
Debug: Executing: '/bin/openstack role list --quiet --format csv'
Debug: Executing: '/bin/openstack role create --format shell admin'
Debug: Prefetching openstack resources for keystone_user
Debug: Executing: '/bin/openstack user list --quiet --format csv --long'
Debug: Executing: '/bin/openstack user create --format shell admin --enable --password a_big_secret --email <email address hidden> --domain admin'
Debug: Executing: '/bin/openstack project show --format shell admin --domain Default'
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@admin]: Could not evaluate: No project admin with domain Default found

If I am using "Default" domains, it works just fine ....

Eventually deployment will fail anyway, as visible from second run log:
During endpoint creation service list is called with --long argument, which is not supported in V3 openstack api.

Error: Failed to apply catalog: Execution of '/bin/openstack service list --quiet --format csv --long' returned 2: usage: openstack service list [-h] [-f {csv,table}] [-c COLUMN]
[--max-width <integer>]
[--quote {all,minimal,none,nonnumeric}]
openstack service list: error: unrecognized arguments: --long

See original description

Revision history for this message

Michal Ptacek (michalx-ptacek) wrote on 2016-02-19:

logs.tar.gz Edit (19.0 KiB, application/x-tar)

Michal Ptacek (michalx-ptacek) on 2016-02-19

description:

updated

Revision history for this message

Robert Davidson (rdavidso) wrote on 2016-02-29:

While it is not a fix for the underlying problem with the invocation of keystone_user_role in keystone::role::admin, you can work around it like so:

class { '::keystone::roles::admin':
   email => '<email address hidden>',
   password => 'a_big_secret',
   admin => 'admin', # username
   admin_tenant => 'openstack', # project name
   admin_user_domain => 'admin', # domain for user
   admin_project_domain => 'admin', # domain for project
   service_project_domain => 'Default',
   configure_user_role => false,
}