python-openstackclient

volume client extension can't work well with keystone v3

Bug #1315963 reported by xyj
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Undecided
xyj
python-openstackclient m4 "beryllium"

Bug Description

I create a keystone v3 account:

- a new domain
- a new user under the domain
- a new project under the same domain
- grant a non admin role to user on the project (project scope token)

my openrc:

export OS_VOLUME_API_VERSION=1
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://localhost:35357/v3
export OS_PROJECT_DOMAIN_ID=784cbcb2ca054c499fc5c3e78acdf7ed
export OS_PROJECT_NAME=yejia_project
export OS_USER_DOMAIN_ID=784cbcb2ca054c499fc5c3e78acdf7ed
export OS_USERNAME=yejia_784cbcb2ca054c499fc5c3e78acdf7ed
export OS_PASSWORD=testing

Nova and glance can work well with this setting.

openstack --verbose volume list

The output (after clean out some mess):

curl -i http://uoscloud.com:35357/v3 -X GET -H "X-Auth-Project-Id: yejia_project" -H "X-Auth-Key: testing" -H "Accept: application/json" -H "X-Auth-User: yejia_784cbcb2ca054c499fc5c3e78acdf7ed" -H "User-Agent: python-cinderclient"

resp: {"version": {"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://localhost:35357/v3/", "rel": "self"}]}}

curl -i http://uoscloud.com:35357/v3/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent

resp: {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}

cinderclient enter its own authenticate() function, I think we should skip it and auth with openstackclient's mechanism, just like compute extension.

xyj (xyj-asmy)
Changed in python-openstackclient:
assignee: nobody → xyj (xyj-asmy)
Revision history for this message
Steve Martinelli (stevemar) wrote :

I think this bug resides in cinderclient, and I think including this fix https://bugs.launchpad.net/python-cinderclient/+bug/1263876 should resolve it.

Right now we depend on cinderclient version 1.0.6 in openstackclient, can you confirm you are using the latest, which should have the fix for the bug I mentioned above.

Revision history for this message
xyj (xyj-asmy) wrote :

I use the lastest cinderclient(I build a new devstack yesterday~).

I read the patch you mentioned, but it only hanlded service_catag format difference between v2 and v3 token.At the moment, cinderclient can't auth directly with keystone v3's auth api, see

https://github.com/openstack/python-cinderclient/blob/master/cinderclient/client.py#L289

Before cinderclient, novaclient, neutronclient can request a v3 token from keystone directly, we should get token in openstackclient(the current code work perfectly!), then pass token and target endpoint on xxxclient. This can avoid xxxclient to auth again in their own code logic.

Just like:

https://github.com/openstack/python-openstackclient/blob/master/openstackclient/compute/client.py#L65

Revision history for this message
Steve Martinelli (stevemar) wrote :

Ah, I understand what you mean, for future reference, please add the bug# to the commit message, as I was just about the do the same work!

I did it for you this time https://review.openstack.org/#/c/92029/

Revision history for this message
xyj (xyj-asmy) wrote :

Oh, Thanks~

I won't forget it next time.

Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/92029
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=2cc3a2fdbddb10cc26ffb49e4a7cfa114a1e9e53
Submitter: Jenkins
Branch: master

commit 2cc3a2fdbddb10cc26ffb49e4a7cfa114a1e9e53
Author: Yejia Xu <email address hidden>
Date: Mon May 5 00:11:17 2014 +0000

    Skip auth in cinderclient

    cinderclient can't work well with keystone v3 auth
    info. We should do it in openstackclient just like
    compute extension.

    Closes-Bug: #1315963
    Change-Id: I46f794c5315f6a9fe1d9a0e5dc7b84f067d7f792

Changed in python-openstackclient:
status: New → Fix Committed
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: none → m4
Dean Troyer (dtroyer)
Changed in python-openstackclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.