11.2.1 : openstack client with V3 auth causes usability issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Invalid
|
Undecided
|
Unassigned | ||
python-openstackclient |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
In light of https:/
Jin Liu (jin-t) wrote on 2015-05-07: #6
Some updates, we made keystone v3 working fine either using cli or horizon.
We figured out what parameters required in openstackclient command line. Using example in this ticket,
# openstack volume list
# openstack server list
Actually these two commands need OS_PROJECT_NAME env or --os-project-name in command line. Export OS_DOMAIN_NAME will not help. Basically OS_PROJECT_NAME is needed for most services(
You may think export OS_PROJECT_NAME and OS_DOMAIN_NAME together. But openstackclient will complain when you do both,
"ERROR: openstack Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust".
You can find extra info about policy.json from this article https:/
The unpleasant issue is that you have to use --domain inside the command line to do a user list like
openstack user list --domain default
unfortunately you can't just set OS_DOMAIN_NAME or ID because that will trigger the error above "ERROR: openstack Authentication cannot be scoped to multiple targets. Pick one of: project, domain or trust"
This issue can be highly misleading when not using the --domain parameter, the openstack client just comes back with
ERROR: openstack The request you have made requires authentication. (Disable debug mode to suppress these details.)
which would people to believe there is some configuration error going on.
It seems we can alter this behavior with a policy.json change and I'm asking to investigate this
Changed in openstack-ansible: | |
status: | New → Incomplete |
Changed in python-openstackclient: | |
status: | Incomplete → Won't Fix |
This issue brings even the os-keystone-install playbook to a halt, due to the missing domain name:
TASK: [os_keystone | Ensure Admin user] ******* ******* ******* ******* ******* ****
Result from run 1 is: {'msg': 'OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ ssh_config\ r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_ request_ session: master session id: 2\r\nTraceback (most recent call last):\n File "<stdin>", line 2895, in <module>\n File "<stdin>", line 1284, in main\n File "<stdin>", line 460, in command_router\n File "<stdin>", line 720, in ensure_user\n File "<stdin>", line 660, in _get_user\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ utils.py" , line 318, in inner\n return func(*args, **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ v3/users. py", line 108, in list\n **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ base.py" , line 73, in func\n return f(*args, **new_kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ base.py" , line 361, in list\n self.collection _key)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ base.py" , line 113, in _list\n resp, body = self.client. get(url, **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ adapter. py", line 170, in get\n return self.request(url, \'GET\', **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ adapter. py", line 206, in request\n resp = super(LegacyJso nAdapter, self).request( *args, **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ adapter. py", line 95, in request\n return self.session. request( url, method, **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ utils.py" , line 318, in inner\n return func(*args, **kwargs)\n File "/usr/local/ lib/python2. 7/dist- packages/ keystoneclient/ session. py", line 397, in request\n raise exceptions. from_response( resp, method, url)\nkeystonec lient.openstack .common. apiclient. exceptions. Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-b1e36888- 0d67-4614- b4ee-c46d71fc9f 0e)\n', 'failed': True, 'attempts': 1, 'parsed': False}