Keystone v3, authentication error for Rally users if the value of project_domain_name of admin user isn't equal "default".

Bug #1680837 reported by Anton Kremenetsky on 2017-04-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Rally
High
Anton Kremenetsky

Bug Description

How to reproduce:
1. You should have an OpenStack deployment with Keystone API v3.
2. Admin user should have value of project_domain_name is not equal "default"
For example,

$ cat existing-keystone-v3.json
{
    "type": "ExistingCloud",
    "creds": {
        "openstack": {
            "auth_url": "http://10.20.3.100:5000/v3/",
            "region_name": "Kontron",
            "endpoint_type": "public",
            "admin": {
                "username": "admin",
                "password": "admin",
                "user_domain_name": "admin_domain",
                "project_name": "admin",
                "project_domain_name": "admin_domain"
            },
            "https_insecure": false,
            "https_cacert": ""
        }
    }
}

$ rally task start ~/rally/samples/tasks/scenarios/nova/create-and-list-flavor-access.yaml
2017-04-07 05:38:51.483 8413 WARNING rally.task.validation [-] Plugin 'NeutronNetworks.create_and_show_subnets' uses validator 'required_openstack'. That validator is deprecated in favor of 'required_platform' in Rally v0.10.0.
Running Rally version 0.9.1~dev107
--------------------------------------------------------------------------------
Preparing input task
--------------------------------------------------------------------------------

Task is:
---
  NovaFlavors.create_and_list_flavor_access:
    -
      args:
        ram: 500
        vcpus: 1
        disk: 1
      runner:
        type: "constant"
        times: 10
        concurrency: 2

Task syntax is correct :)
2017-04-07 05:38:51.837 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation.
2017-04-07 05:38:51.902 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of scenarios names.
2017-04-07 05:38:51.909 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Task validation of scenarios names.
2017-04-07 05:38:51.910 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of syntax.
2017-04-07 05:38:51.921 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Task validation of syntax.
2017-04-07 05:38:51.921 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of semantic.
2017-04-07 05:38:51.948 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:51.948 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:51.968 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:51.968 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.553 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Enter context: `users`
2017-04-07 05:38:52.554 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.555 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.566 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.566 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.998 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.998 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.552 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.553 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.565 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.565 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.970 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.971 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.722 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.722 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.723 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Enter context: `users`
2017-04-07 05:38:54.726 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.726 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.735 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.735 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.765 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Exit context: `users`
2017-04-07 05:38:54.765 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.766 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.775 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.776 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.700 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.700 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.709 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.709 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.738 8413 WARNING rally.plugins.openstack.context.keystone.users [-] Unable to delete default security group
2017-04-07 05:38:55.739 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.740 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.749 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.750 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.054 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.055 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.520 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.520 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.528 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.528 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.427 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.427 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.439 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.439 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.838 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.838 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:58.329 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Exit context: `users`
Task config is invalid: `Input task is invalid!

Subtask NovaFlavors.create_and_list_flavor_access[0] has wrong configuration
Subtask configuration:
{'runner': {"type": "constant", "times": 10, "concurrency": 2}, 'args': {"ram": 500, "vcpus": 1, "disk": 1}}

Reason(s):
 ---------- Exception in validator ----------
Traceback (most recent call last):
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/common/validation.py", line 201, in validate
    plugin_cfg=plugin_cfg)
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 64, in validate
    result = self._run_fn(config, deployment, clients)
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 73, in _run_fn
    *self.args, **self.kwargs) or ValidationResult(True))
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 481, in required_services
    available_services = list(clients.services().values())
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 747, in services
    available_services = self.keystone.service_catalog.get_endpoints()
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 226, in service_catalog
    return self.auth_ref.service_catalog
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 232, in auth_ref
    self.cache["keystone_auth_ref"] = plugin.get_access(sess)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 198, in get_auth_ref
    return self._plugin.get_auth_ref(session, **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 766, in post
    return self.request(url, 'POST', **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 655, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0b030df9-4fd3-4da4-8855-980b493940b5)

Some additional information:

The problem is that the Rally always creates test projects with "default" domain even though other one has been specified.
For example,
$ cat ~/.rally/openrc
export OS_AUTH_URL='http://10.20.3.100:5000/v3/'
export OS_USERNAME='admin'
export OS_PASSWORD='admin'
export OS_TENANT_NAME='admin'
export OS_REGION_NAME='Kontron'
export OS_ENDPOINT_TYPE='publicURL'
export OS_INTERFACE='public'
export OS_USER_DOMAIN_NAME='admin_domain'
export OS_PROJECT_DOMAIN_NAME='admin_domain'
$
$ openstack domain list
+----------------------------------+----------------+---------+-----------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+-----------------+
| 6b532774c0374cfaaf320383f6cfd697 | default | True | Created by Juju |
| 82947d20701c4300bb0e8566dff230ee | service_domain | True | Created by Juju |
| d1fd339da2004cf586910ff8dfdca382 | admin_domain | True | Created by Juju |
+----------------------------------+----------------+---------+-----------------+
$ openstack project list
+----------------------------------+---------------------------+
| ID | Name |
+----------------------------------+---------------------------+
| 38e2cc605dc74198b695cf1381beaf70 | admin |
| 663b0dae09184f58b65e89d9760c6219 | services |
| bcef99148ad64072813c4fa226d76f31 | services |
| da4de5adc8fe467585a9f60eb0d11eb5 | c_rally_f58172b9_vWnsCHws |
+----------------------------------+---------------------------+
$ openstack project show c_rally_f58172b9_vWnsCHws
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 6b532774c0374cfaaf320383f6cfd697 |
| enabled | True |
| id | da4de5adc8fe467585a9f60eb0d11eb5 |
| is_domain | False |
| name | c_rally_f58172b9_vWnsCHws |
| parent_id | 6b532774c0374cfaaf320383f6cfd697 |
+-------------+----------------------------------+

Changed in rally:
assignee: nobody → Anton Kremenetsky (akremenetsky)

Fix proposed to branch: master
Review: https://review.openstack.org/454714

Changed in rally:
status: New → In Progress
Changed in rally:
importance: Undecided → High

Reviewed: https://review.openstack.org/454714
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=412e35a292934da87afd7651f8ac22cfa9d462fa
Submitter: Jenkins
Branch: master

commit 412e35a292934da87afd7651f8ac22cfa9d462fa
Author: Anton Kremenetsky <email address hidden>
Date: Fri Apr 7 16:01:15 2017 +0300

    Fixed project creation with Keystone v3

    The current behavior for Rally users and Keystone v3 allows only to
    create test projects for the users only in "default" domain.
    Such behavior leads to authentication errors for the Rally users if the
    admin specifies project_domain_name with other value rather than
    "default". This fix resolve this bug.

    Signe-ooff-by: Anton Kremenetsky <email address hidden>

    Change-Id: Ia2207f0b6a32da2ece6aaef64fd3227e16fb25ec
    Closes-Bug: #1680837

Changed in rally:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/454809
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=530803f45ca5bf261024bda082ec71120e9b3b88
Submitter: Jenkins
Branch: stable/0.9

commit 530803f45ca5bf261024bda082ec71120e9b3b88
Author: Anton Kremenetsky <email address hidden>
Date: Fri Apr 7 16:01:15 2017 +0300

    Fixed project creation with Keystone v3

    The current behavior for Rally users and Keystone v3 allows only to
    create test projects for the users only in "default" domain.
    Such behavior leads to authentication errors for the Rally users if the
    admin specifies project_domain_name with other value rather than
    "default". This fix resolve this bug.

    Signe-ooff-by: Anton Kremenetsky <email address hidden>

    Change-Id: Ia2207f0b6a32da2ece6aaef64fd3227e16fb25ec
    Closes-Bug: #1680837
    (cherry picked from commit 412e35a292934da87afd7651f8ac22cfa9d462fa)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers