puppet-keystone

openstack cli provider needs to pass domain in v3 calls

Bug #1554555 reported by Matthew J Black
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Undecided
Sofer Athlan-Guyot

Bug Description

When running keystone module with v3/domains, if the option domain_specific_drivers_enabled is set to true in the keystone.conf, then certain api calls will need to pass in domain information. The most notable is the user api (see below for log output).

Debug: Executing '/usr/bin/openstack user list --quiet --format csv --long'
Error: Could not prefetch keystone_user provider 'openstack': Could not authenticate.

When I run this command with the following environment variables set

{"OS_IDENTITY_API_VERSION"=>"3", "OS_TOKEN"=>"test1234", "OS_URL"=>"http://keystone.example.org:35357/v3"}

I get the following output.

# /usr/bin/openstack user list --quiet --format csv --long
The request you have made requires authentication. (HTTP 401) (Request-ID: req-4f4ff6e2-a9be-47db-be05-33149c873df5)

When I add --domain to the cli call I get this.

# /usr/bin/openstack user list --quiet --format csv --long --domain default
"ID","Name","Project","Domain","Description","Email","Enabled"
"09125f5ea1e44963a5d00ae7b9640544","admin","","default","","",True

If I modify a line in keystone_user provider (https://github.com/openstack/puppet-keystone/blob/master/lib/puppet/provider/keystone_user/openstack.rb#L177) to be from

users = request('user', 'list', ['--long'])

to

users = request('user', 'list', ['--long', '--domain', default_domain])

Everything starts working.

The CLI is not caring if any of the domain env variables are set, it looks like it will only work with the parameter being passed to the cli call in the provider.

Matthew J Black (mjblack)
Changed in python-keystoneclient:
assignee: nobody → Matthew J Black (mjblack)
Matthew J Black (mjblack)
affects: python-keystoneclient → puppet-keystone
Sofer Athlan-Guyot (sofer-athlan-guyot)
Changed in puppet-keystone:
status: New → Confirmed
Revision history for this message
Sofer Athlan-Guyot (sofer-athlan-guyot) wrote :
Download full text (7.9 KiB)

Oki, I could reproduce the exact same error using:

    include ::openstack_integration
    include ::openstack_integration::repos
    include ::openstack_integration::mysql
    class { '::openstack_integration::keystone':
      using_domain_config => true,
    }

    ::keystone::resource::service_identity { 'beaker-ci':
      service_type => 'beaker',
      service_description => 'beaker service',
      service_name => 'beaker',
      password => 'secret',
      public_url => 'http://127.0.0.1:1234',
      admin_url => 'http://127.0.0.1:1234',
      internal_url => 'http://127.0.0.1:1234',
    }
    # v3 admin
    # we don't use ::keystone::roles::admin but still create resources manually:
    keystone_domain { 'admin_domain':
      ensure => present,
      enabled => true,
      description => 'Domain for admin v3 users',
    }
    keystone_domain { 'service_domain':
      ensure => present,
      enabled => true,
      description => 'Domain for admin v3 users',
    }
    keystone_tenant { 'servicesv3::service_domain':
      ensure => present,
      enabled => true,
      description => 'Tenant for the openstack services',
    }
    keystone_tenant { 'openstackv3::admin_domain':
      ensure => present,
      enabled => true,
      description => 'admin tenant',
    }
    keystone_user { 'adminv3::admin_domain':
      ensure => present,
      enabled => true,
      email => '<email address hidden>',
      password => 'a_big_secret',
    }
    keystone_user_role { 'adminv3::admin_domain@openstackv3::admin_domain':
      ensure => present,
      roles => ['admin'],
    }
    # service user exists only in the service_domain - must
    # use v3 api
    ::keystone::resource::service_identity { 'beaker-civ3::service_domain':
      service_type => 'beakerv3',
      service_description => 'beakerv3 service',
      service_name => 'beakerv3',
      password => 'secret',
      tenant => 'servicesv3::service_domain',
      public_url => 'http://127.0.0.1:1234/v3',
      admin_url => 'http://127.0.0.1:1234/v3',
      internal_url => 'http://127.0.0.1:1234/v3',
      user_domain => 'service_domain',
      project_domain => 'service_domain',
    }

The (first?) problem here, is that the prefetch of the user resource
comes before the creation of the /root/openrc and (for the first
initial run) uses the admin_token authentication like this:

    #<Puppet::Provider::Openstack::CredentialsV3:0x000000045373d0 @identity_api_version="3", @token="admin_token", @url="http://127.0.0.1:35357/v3">

This fails with a "401" error on the keystone server side.
Prefetching service and domain is not an issue though, as can be seen
on this log:

    Info: /Stage[main]/Apache::Service/Service[httpd]: Unscheduling refresh on Service[httpd]
    Debug: Class[Apache::Service]: The container Stage[main] will propagate my refresh event
    Debug: Prefetching openstack resources for keystone_service
    Debug: Executing '/bin/openstack service list --quiet --format csv --long'
    Debug: Prefetchi...

Read more...

OpenStack Infra (hudson-openstack)
Changed in puppet-keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-keystone (master)

Change abandoned by Matthew J Black (<email address hidden>) on branch: master
Review: https://review.openstack.org/289995

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/299301

Changed in puppet-keystone:
assignee: Matthew J Black (mjblack) → Sofer Athlan-Guyot (sofer-athlan-guyot)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/299301
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=64100bb284dbfb72f4af14eae9665ca042f0239a
Submitter: Jenkins
Branch: master

commit 64100bb284dbfb72f4af14eae9665ca042f0239a
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Depends-On: I5b334e3ffd26df4ba8584d77a5e41b56e73536c8
    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/306075

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/308365

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/liberty)

Reviewed: https://review.openstack.org/308365
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=241f4cf91b3f5b3ac68b74d7e1ac80689123b082
Submitter: Jenkins
Branch: stable/liberty

commit 241f4cf91b3f5b3ac68b74d7e1ac80689123b082
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    When commit was cherry-picked from master 'domain_id_from_name' method
    in lib/puppet/provider/keystone_user/openstack.rb was replaced by
    'fetch_domain' method and call to 'self.class.request_without_retry'
    method was deleted in order to adopt the fix to stable/liberty.
    Also unit tests for 'exists?' method was modified.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29
    (cherry picked from commit 64100bb284dbfb72f4af14eae9665ca042f0239a)

tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/mitaka)

Reviewed: https://review.openstack.org/306075
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=795bb1f60467fcbc56e094bb900a63dd64d8cc5f
Submitter: Jenkins
Branch: stable/mitaka

commit 795bb1f60467fcbc56e094bb900a63dd64d8cc5f
Author: Sofer Athlan-Guyot <email address hidden>
Date: Wed Mar 30 13:00:58 2016 +0200

    Remove user/role prefetch to support multi-domain.

    In keystone when the multi-domain configuration is enable, listing all
    the user is no longer supported. You have to specify the domain. The
    rational is that some domain will have LDAP backend (possibly AD) with
    tons of users. Listing them all would not be reliable.

    The prefetch feature in puppet needs to know all users and create an
    associated object. This is not a good idea when the number of user is
    too high. Thus the removal of this is necessary. The rational for
    using prefetch is that checking all items in one go "cost" less than
    fetching individual information. As the number of user defined in the
    catalog is likely to be less than the number of user in the keystone db,
    this seems dubious that this would be case here, hence the removal.

    As a consequence the keystone_user_role needs prefetch removal as well.
    It actually greatly simplify the code. A cache is made for user and
    project id to minimize the number of requests to the minimum.

    Closes-Bug: 1554555
    Closes-Bug: 1485508

    Depends-On: I5b334e3ffd26df4ba8584d77a5e41b56e73536c8
    Change-Id: I8e117a9ddbd2ed5b3df739a0b27a66ad07a33e29
    (cherry picked from commit 64100bb284dbfb72f4af14eae9665ca042f0239a)

tags: added: in-stable-mitaka
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 7.1.0

This issue was fixed in the openstack/puppet-keystone 7.1.0 release.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/puppet-keystone 8.1.0

This issue was fixed in the openstack/puppet-keystone 8.1.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 9.0.0

This issue was fixed in the openstack/puppet-keystone 9.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.