puppet-keystone

  1. Bug #1614141
  2. Activity log

Activity log for bug #1614141

Date Who What changed Old value New value Message
2016-08-17 15:21:57 Franciraldo Cavalcante bug added bug
2016-08-17 15:25:25 Franciraldo Cavalcante description We're trying to create a new domain, for heat for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem. We're trying to create a new domain, for heat for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed. Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem.
2016-08-17 15:28:11 Franciraldo Cavalcante description We're trying to create a new domain, for heat for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed. Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem. We're trying to create a new domain, for Heat, for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed.  Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem.
2016-08-17 20:35:38 Franciraldo Cavalcante description We're trying to create a new domain, for Heat, for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed.  Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem. We're trying to create a new domain, for Heat, for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed.  Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem. [-- manifests/profile/keystone.pp --] ... $heat_api_cfn_enabled = hiera('heat_api_cfn_enabled', false), $heat_domain_enabled = hiera('heat_domain_enabled', false), $heat_domain_name = 'heat', $heat_domain_admin = 'heat_admin', $heat_domain_admin_email = 'heat_admin@localhost', $heat_domain_password = hiera('heat_domain_password', undef), ... if $heat_domain_enabled { include ::heat::deps include ::heat::params ensure_resource('keystone_domain', $heat_domain_name, { 'ensure' => 'present', 'enabled' => true, }) ensure_resource('keystone_user', "${heat_domain_admin}::${heat_domain_name}", { 'ensure' => 'present', 'enabled' => true, 'email' => $heat_domain_admin_email, 'password' => $heat_domain_password, }) ensure_resource('keystone_user_role', "${heat_domain_admin}::${heat_domain_name}@::${heat_domain_name}", { 'roles' => ['admin'], }) }
2016-08-17 20:47:28 Emilien Macchi puppet-keystone: status New Incomplete
2016-08-17 20:52:02 Matt Fischer summary Need to create heat domain without changing the default_domain_id creating a keystone_domain can make it the default even though is_default is false
2016-08-17 20:58:24 Matt Fischer description We're trying to create a new domain, for Heat, for our OpenStack deployment. Currently only using default/Default (id/name). I've made the addition to create the domain and it's manager user, through puppet. I could test the new functionality through a puppet agent update. When I build my Keystone node from scratch, though, puppet-keystone seems to change the default id to the heat domain: [-- message on keystone creation --] ==> dev01-keystone-001: Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is 'e3f9107d5bea4feaac91e486a5db64b5'. [-- two domains created --] [DEV] root@dev01-build-001:/etc/puppet# openstack domain list +----------------------------------+---------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+--------------------+ | default | Default | True | The default domain | | e3f9107d5bea4feaac91e486a5db64b5 | heat | True | | +----------------------------------+---------+---------+--------------------+ [-- Authentication Error --] [DEV] root@dev01-build-001:~/heat-test# openstack stack create -f yaml -t short.yaml short --wait 2016-08-16 22:38:01 [short]: CREATE_FAILED Authorization failed.  Stack short CREATE_FAILED Even if I set the identity/default_domain_id to default, the mistake persists. Please let know if there's a way around this problem. [-- manifests/profile/keystone.pp --] ... $heat_api_cfn_enabled = hiera('heat_api_cfn_enabled', false), $heat_domain_enabled = hiera('heat_domain_enabled', false), $heat_domain_name = 'heat', $heat_domain_admin = 'heat_admin', $heat_domain_admin_email = 'heat_admin@localhost', $heat_domain_password = hiera('heat_domain_password', undef), ... if $heat_domain_enabled { include ::heat::deps include ::heat::params ensure_resource('keystone_domain', $heat_domain_name, { 'ensure' => 'present', 'enabled' => true, }) ensure_resource('keystone_user', "${heat_domain_admin}::${heat_domain_name}", { 'ensure' => 'present', 'enabled' => true, 'email' => $heat_domain_admin_email, 'password' => $heat_domain_password, }) ensure_resource('keystone_user_role', "${heat_domain_admin}::${heat_domain_name}@::${heat_domain_name}", { 'roles' => ['admin'], }) } We're trying to create a new domain, for Heat, for our OpenStack deployment. In this catalog we are not defining the default_domain variable in keystone's init.pp. That seems to be relevant but is perhaps not. Here is our manifest: ...   $heat_api_cfn_enabled = hiera('heat_api_cfn_enabled', false),   $heat_domain_enabled = hiera('heat_domain_enabled', false),   $heat_domain_name = 'heat',   $heat_domain_admin = 'heat_admin',   $heat_domain_admin_email = 'heat_admin@localhost',   $heat_domain_password = hiera('heat_domain_password', undef), ...     ensure_resource('keystone_domain', $heat_domain_name, {       'ensure' => 'present',       'enabled' => true,     })     ensure_resource('keystone_user', "${heat_domain_admin}::${heat_domain_name}", {       'ensure' => 'present',       'enabled' => true,       'email' => $heat_domain_admin_email,       'password' => $heat_domain_password,     })     ensure_resource('keystone_user_role', "${heat_domain_admin}::${heat_domain_name}@::${heat_domain_name}", {       'roles' => ['admin'],     }) Here is the output, note the last line warning and note how what puppet thinks the default_domain_id is: DEBUG[default_domain_id/in]: DEBUG[default_domain_from_ini_file]: default DEBUG[default_domain_id/out]: default Debug: Executing '/usr/bin/openstack project list --quiet --format csv --long' Debug: Executing '/usr/bin/openstack domain list --quiet --format csv' Debug: Prefetching openstack resources for keystone_role Debug: Executing '/usr/bin/openstack role list --quiet --format csv' Debug: Prefetching openstack resources for keystone_domain Debug: Executing '/usr/bin/openstack domain list --quiet --format csv' DEBUG[default_domain_id/in]: default DEBUG[default_domain_id/out]: default Debug: Executing '/usr/bin/openstack domain create --format shell heat --enable' DEBUG[default_domain_id/in]: default DEBUG[default_domain_id/out]: default Notice: /Stage[main]/Cirrus::Profile::Keystone/Keystone_domain[heat]/ensure: created Debug: /Stage[main]/Cirrus::Profile::Keystone/Keystone_domain[heat]: The container Class[Cirrus::Profile::Keystone] will propagate my refresh event Debug: Prefetching openstack resources for keystone_user DEBUG[default_domain_id/in]: 637c781d30714a2aa5eefbf437ce738e DEBUG[default_domain_id/out]: 637c781d30714a2aa5eefbf437ce738e DEBUG[./lib/puppet/provider/keystone_user/openstack.rb] DEBUG[default_domain_id/in]: 637c781d30714a2aa5eefbf437ce738e DEBUG[default_domain_id/out]: 637c781d30714a2aa5eefbf437ce738e Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is '637c781d30714a2aa5eefbf437ce738e'.
2016-08-17 21:02:47 Emilien Macchi puppet-keystone: status Incomplete New
2016-08-17 21:02:51 Emilien Macchi puppet-keystone: status New Triaged