Rally

Keystone v3, authentication error for Rally users if the value of project_domain_name of admin user isn't equal "default".

Bug #1680837 reported by Anton Kremenetsky on 2017-04-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Rally	Fix Released	High	Anton Kremenetsky

Bug Description

How to reproduce:
1. You should have an OpenStack deployment with Keystone API v3.
2. Admin user should have value of project_domain_name is not equal "default"
For example,

$ cat existing-keystone-v3.json
{
    "type": "ExistingCloud",
    "creds": {
        "openstack": {
            "auth_url": "http://10.20.3.100:5000/v3/",
            "region_name": "Kontron",
            "endpoint_type": "public",
            "admin": {
                "username": "admin",
                "password": "admin",
                "user_domain_name": "admin_domain",
                "project_name": "admin",
                "project_domain_name": "admin_domain"
            },
            "https_insecure": false,
            "https_cacert": ""
        }
    }
}

$ rally task start ~/rally/samples/tasks/scenarios/nova/create-and-list-flavor-access.yaml
2017-04-07 05:38:51.483 8413 WARNING rally.task.validation [-] Plugin 'NeutronNetworks.create_and_show_subnets' uses validator 'required_openstack'. That validator is deprecated in favor of 'required_platform' in Rally v0.10.0.
Running Rally version 0.9.1~dev107
--------------------------------------------------------------------------------
Preparing input task
--------------------------------------------------------------------------------

Task is:
---
  NovaFlavors.create_and_list_flavor_access:
    -
      args:
        ram: 500
        vcpus: 1
        disk: 1
      runner:
        type: "constant"
        times: 10
        concurrency: 2

Task syntax is correct :)
2017-04-07 05:38:51.837 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation.
2017-04-07 05:38:51.902 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of scenarios names.
2017-04-07 05:38:51.909 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Task validation of scenarios names.
2017-04-07 05:38:51.910 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of syntax.
2017-04-07 05:38:51.921 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Task validation of syntax.
2017-04-07 05:38:51.921 8413 INFO rally.task.engine [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Task validation of semantic.
2017-04-07 05:38:51.948 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:51.948 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:51.968 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:51.968 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.553 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Enter context: `users`
2017-04-07 05:38:52.554 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.555 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.566 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.566 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:52.998 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:52.998 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.552 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.553 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.565 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.565 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:53.970 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:53.971 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.722 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.722 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.723 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Enter context: `users`
2017-04-07 05:38:54.726 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.726 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.735 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.735 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.765 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Starting: Exit context: `users`
2017-04-07 05:38:54.765 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.766 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:54.775 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:54.776 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.700 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.700 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.709 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.709 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.738 8413 WARNING rally.plugins.openstack.context.keystone.users [-] Unable to delete default security group
2017-04-07 05:38:55.739 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.740 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:55.749 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:55.750 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.054 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.055 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.520 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.520 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:56.528 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:56.528 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.427 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.427 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.439 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.439 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:57.838 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'cacert' is deprecated since Rally 0.10.0. Use 'https_cacert' instead.
2017-04-07 05:38:57.838 8413 WARNING /home/remote/rally/local/lib/python2.7/site-packages/rally/plugins/openstack/credential.pyc [-] Property 'insecure' is deprecated since Rally 0.10.0. Use 'https_insecure' instead.
2017-04-07 05:38:58.329 8413 INFO rally.plugins.openstack.context.keystone.users [-] Task 50cd62a3-4a13-4ec3-b6da-0d0c2799324b | Completed: Exit context: `users`
Task config is invalid: `Input task is invalid!

Subtask NovaFlavors.create_and_list_flavor_access[0] has wrong configuration
Subtask configuration:
{'runner': {"type": "constant", "times": 10, "concurrency": 2}, 'args': {"ram": 500, "vcpus": 1, "disk": 1}}

Reason(s):
---------- Exception in validator ----------
Traceback (most recent call last):
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/common/validation.py", line 201, in validate
    plugin_cfg=plugin_cfg)
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 64, in validate
    result = self._run_fn(config, deployment, clients)
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 73, in _run_fn
    *self.args, **self.kwargs) or ValidationResult(True))
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/task/validation.py", line 481, in required_services
    available_services = list(clients.services().values())
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 747, in services
    available_services = self.keystone.service_catalog.get_endpoints()
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 226, in service_catalog
    return self.auth_ref.service_catalog
  File "/home/remote/rally/local/lib/python2.7/site-packages/rally/osclients.py", line 232, in auth_ref
    self.cache["keystone_auth_ref"] = plugin.get_access(sess)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 198, in get_auth_ref
    return self._plugin.get_auth_ref(session, **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 766, in post
    return self.request(url, 'POST', **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/home/remote/rally/local/lib/python2.7/site-packages/keystoneauth1/session.py", line 655, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0b030df9-4fd3-4da4-8855-980b493940b5)

Revision history for this message

Anton Kremenetsky (akremenetsky) wrote on 2017-04-07:

Some additional information:

Some additional information:

Changed in rally:
assignee:	nobody → Anton Kremenetsky (akremenetsky)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-07: Fix proposed to rally (master)

Fix proposed to branch: master
Review: https://review.openstack.org/454714

Changed in rally:
status:	New → In Progress

Andriy Kurilin (andreykurilin) on 2017-04-07

Changed in rally:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-07: Fix merged to rally (master)

Reviewed: https://review.openstack.org/454714
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=412e35a292934da87afd7651f8ac22cfa9d462fa
Submitter: Jenkins
Branch: master

commit 412e35a292934da87afd7651f8ac22cfa9d462fa
Author: Anton Kremenetsky <email address hidden>
Date: Fri Apr 7 16:01:15 2017 +0300

Fixed project creation with Keystone v3

    The current behavior for Rally users and Keystone v3 allows only to
    create test projects for the users only in "default" domain.
    Such behavior leads to authentication errors for the Rally users if the
    admin specifies project_domain_name with other value rather than
    "default". This fix resolve this bug.

Signe-ooff-by: Anton Kremenetsky <email address hidden>

Change-Id: Ia2207f0b6a32da2ece6aaef64fd3227e16fb25ec
Closes-Bug: #1680837

Changed in rally:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-07: Fix proposed to rally (stable/0.9)

Fix proposed to branch: stable/0.9
Review: https://review.openstack.org/454809

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-07: Fix merged to rally (stable/0.9)

Reviewed: https://review.openstack.org/454809
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=530803f45ca5bf261024bda082ec71120e9b3b88
Submitter: Jenkins
Branch: stable/0.9

commit 530803f45ca5bf261024bda082ec71120e9b3b88
Author: Anton Kremenetsky <email address hidden>
Date: Fri Apr 7 16:01:15 2017 +0300

Fixed project creation with Keystone v3

Signe-ooff-by: Anton Kremenetsky <email address hidden>

    Change-Id: Ia2207f0b6a32da2ece6aaef64fd3227e16fb25ec
    Closes-Bug: #1680837
    (cherry picked from commit 412e35a292934da87afd7651f8ac22cfa9d462fa)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.