openstack cli provider needs to pass domain in v3 calls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet-keystone |
Fix Released
|
Undecided
|
Sofer Athlan-Guyot |
Bug Description
When running keystone module with v3/domains, if the option domain_
Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
Error: Could not prefetch keystone_user provider 'openstack': Could not authenticate.
When I run this command with the following environment variables set
{"OS_IDENTITY_
I get the following output.
# /usr/bin/openstack user list --quiet --format csv --long
The request you have made requires authentication. (HTTP 401) (Request-ID: req-4f4ff6e2-
When I add --domain to the cli call I get this.
# /usr/bin/openstack user list --quiet --format csv --long --domain default
"ID","Name"
"09125f5ea1e449
If I modify a line in keystone_user provider (https:/
users = request('user', 'list', ['--long'])
to
users = request('user', 'list', ['--long', '--domain', default_domain])
Everything starts working.
The CLI is not caring if any of the domain env variables are set, it looks like it will only work with the parameter being passed to the cli call in the provider.
Changed in python-keystoneclient: | |
assignee: | nobody → Matthew J Black (mjblack) |
affects: | python-keystoneclient → puppet-keystone |
Changed in puppet-keystone: | |
status: | New → Confirmed |
Changed in puppet-keystone: | |
status: | Confirmed → In Progress |
Oki, I could reproduce the exact same error using:
include ::openstack_ integration integration: :repos integration: :mysql integration: :keystone' : domain_ config => true,
include ::openstack_
include ::openstack_
class { '::openstack_
using_
}
::keystone: :resource: :service_ identity { 'beaker-ci': description => 'beaker service', 127.0.0. 1:1234', 127.0.0. 1:1234', 127.0.0. 1:1234', :roles: :admin but still create resources manually: :service_ domain' : :admin_ domain' : :admin_ domain' : user_role { 'adminv3: :admin_ domain@ openstackv3: :admin_ domain' : :resource: :service_ identity { 'beaker- civ3::service_ domain' : description => 'beakerv3 service', :service_ domain' , 127.0.0. 1:1234/ v3', 127.0.0. 1:1234/ v3', 127.0.0. 1:1234/ v3', domain => 'service_domain',
service_type => 'beaker',
service_
service_name => 'beaker',
password => 'secret',
public_url => 'http://
admin_url => 'http://
internal_url => 'http://
}
# v3 admin
# we don't use ::keystone:
keystone_domain { 'admin_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_domain { 'service_domain':
ensure => present,
enabled => true,
description => 'Domain for admin v3 users',
}
keystone_tenant { 'servicesv3:
ensure => present,
enabled => true,
description => 'Tenant for the openstack services',
}
keystone_tenant { 'openstackv3:
ensure => present,
enabled => true,
description => 'admin tenant',
}
keystone_user { 'adminv3:
ensure => present,
enabled => true,
email => '<email address hidden>',
password => 'a_big_secret',
}
keystone_
ensure => present,
roles => ['admin'],
}
# service user exists only in the service_domain - must
# use v3 api
::keystone:
service_type => 'beakerv3',
service_
service_name => 'beakerv3',
password => 'secret',
tenant => 'servicesv3:
public_url => 'http://
admin_url => 'http://
internal_url => 'http://
user_domain => 'service_domain',
project_
}
The (first?) problem here, is that the prefetch of the user resource
comes before the creation of the /root/openrc and (for the first
initial run) uses the admin_token authentication like this:
#<Puppet: :Provider: :Openstack: :CredentialsV3: 0x000000045373d 0 @identity_ api_version= "3", @token= "admin_ token", @url="http:// 127.0.0. 1:35357/ v3">
This fails with a "401" error on the keystone server side.
Prefetching service and domain is not an issue though, as can be seen
on this log:
Info: /Stage[ main]/Apache: :Service/ Service[ httpd]: Unscheduling refresh on Service[httpd] :Service] : The container Stage[main] will propagate my refresh event
Debug: Class[Apache:
Debug: Prefetching openstack resources for keystone_service
Debug: Executing '/bin/openstack service list --quiet --format csv --long'
Debug: Prefetchi...