v3 domains not properly addressed

Bug #1547394 reported by Michal Ptacek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Invalid
Undecided
Unassigned

Bug Description

Hi,

when trying to deploy keystone (from examples/v3_basic.pp)

class { '::keystone::roles::admin':
  email => '<email address hidden>',
  password => 'a_big_secret',
  admin => 'admin', # username
  admin_tenant => 'admin', # project name
  admin_user_domain => 'admin', # domain for user
  admin_tenant_domain => 'admin', # domain for project
}

following problems are seen:

'admin_tenant_domain'
Error: Invalid parameter: 'admin_tenant_domain' on Class[Keystone::Roles::Admin]
But when changing to correct 'admin_project_domain' stacking again crashed with

Debug: Executing: '/bin/openstack project show --format shell admin --domain Default'
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@admin]: Could not evaluate: No project admin with domain Default found

From openstack cli commands called it looks that @admin_user_domain or @admin_project_domain is not propagated properly somewhere and script is looking for project still in "Default" domain

Debug: Executing: '/bin/openstack domain list --quiet --format csv'
Debug: Executing: '/bin/openstack domain create --format shell admin --enable'
Debug: Prefetching openstack resources for keystone_tenant
Debug: Executing: '/bin/openstack project list --quiet --format csv --long'
Debug: Executing: '/bin/openstack project create --format shell services --enable --description Tenant for the openstack services --domain Default'
Debug: Executing: '/bin/openstack project create --format shell admin --enable --description admin tenant --domain admin'
Debug: Prefetching openstack resources for keystone_role
Debug: Executing: '/bin/openstack role list --quiet --format csv'
Debug: Executing: '/bin/openstack role create --format shell admin'
Debug: Prefetching openstack resources for keystone_user
Debug: Executing: '/bin/openstack user list --quiet --format csv --long'
Debug: Executing: '/bin/openstack user create --format shell admin --enable --password a_big_secret --email <email address hidden> --domain admin'
Debug: Executing: '/bin/openstack project show --format shell admin --domain Default'
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@admin]: Could not evaluate: No project admin with domain Default found

If I am using "Default" domains, it works just fine ....

Eventually deployment will fail anyway, as visible from second run log:
During endpoint creation service list is called with --long argument, which is not supported in V3 openstack api.

Error: Failed to apply catalog: Execution of '/bin/openstack service list --quiet --format csv --long' returned 2: usage: openstack service list [-h] [-f {csv,table}] [-c COLUMN]
                              [--max-width <integer>]
                              [--quote {all,minimal,none,nonnumeric}]
openstack service list: error: unrecognized arguments: --long

Revision history for this message
Michal Ptacek (michalx-ptacek) wrote :
description: updated
Revision history for this message
Robert Davidson (rdavidso) wrote :

While it is not a fix for the underlying problem with the invocation of keystone_user_role in keystone::role::admin, you can work around it like so:

 class { '::keystone::roles::admin':
   email => '<email address hidden>',
   password => 'a_big_secret',
   admin => 'admin', # username
   admin_tenant => 'openstack', # project name
   admin_user_domain => 'admin', # domain for user
   admin_project_domain => 'admin', # domain for project
   service_project_domain => 'Default',
   configure_user_role => false,
 }

 keystone_user_role { "admin::admin@openstack::admin":
   ensure => present,
   roles => ['admin'],
 }

Changed in puppet-keystone:
status: New → Invalid
Revision history for this message
Michal Ptacek (michalx-ptacek) wrote :

this problem disappeared with newer version of OSC (1.7.0), formerly ubuntu 14.04 LTS version was used (too old)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments