After newton deployment _member_ role is missing in keystone

I can confirm I see the same problem on my overcloud. This is causing issues e.g. when using Horizon and trying to manage projects, as every command fails with "Error: Could not find default role "_member_" in Keystone."

Consider that puppet-keystone does no more manage _member_ role since release 5.0.0 because should be created automatically.

Ref: https://github.com/openstack/puppet-keystone/blob/17675623f357dd52a72a44494a3023d7c361133c/CHANGELOG.md#L190

Indeed, not sure what changed during the Newton cycle?

The workaround for now is to create a role named "_member_", which can still be done from Horizon as well.

Here's the commit about puppet no longer creating/checking for the _member_ role that Luca mentions: https://github.com/openstack/puppet-keystone/commit/db8339e6be7f0bb29e7e2e95e0afa04f47cd2003 (2014)

Some additional information:

1. There used to be a fix that created the role automatically on user creation
https://github.com/openstack/puppet-keystone/commit/1b8010

2. That fix was removed in Sept 2015
https://github.com/openstack/puppet-keystone/commit/8461e9

which means it wasn't there in Mitaka either. It's difficult to say if Keystone, puppet-keystone, some other puppet rule were still creating the role until recently.

The easiest fix for now may be to revert/bring back https://github.com/openstack/puppet-keystone/commit/db8339 , since Horizon still requires the role existing to be fully functional.

Does horizon really require that role? It seems there is OPENSTACK_KEYSTONE_DEFAULT_ROLE setting that we can change to the correct role (I suspect Member?).

Il 20 ott 2016 6:20 PM, "Thomas Herve" <email address hidden> ha
scritto:
>
> Does horizon really require that role? It seems there is
> OPENSTACK_KEYSTONE_DEFAULT_ROLE setting that we can change to the
> correct role (I suspect Member?).
>

This is not only a problem about Horizon. There is no member role at all.
Keystone additionally by default needs _member_ as default member role

Keystone will automatically create the _member_ role (or whatever role name/id is configured in keystone.conf) when a user is added to a project if the role doesn't exist already:

  https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L166-L173

The method that this code is a part of is only used by the v2 User class in identity/controller.py:

  https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L33

I suspect that we are only using the v3 API during deployment now, which means that the _member_ role will not be automatically created by Keystone. We should have puppet create the _member_ role.

So _member_ was a work around for Horizon creating and using Member years ago. We need a way to port projects with direct user ownership to everything using assignments, and this was the transition piece.

I suspect that the Tripleo install not using the V2 API no longer creates the _member_ role as a side effect.

We cannot just blindly create the role, as the API does not allow us to specify a role_id. THaw would lead to a regression of : https://bugzilla.redhat.com/show_bug.cgi?id=1129760#c8

I think the best option is going to be a modification of the bootstrap code to create the role.

Thanks everyone for the additional information!

Adam, would it be possible to clarify which bootstrap code you are talking about?

Patch at https://review.openstack.org/#/c/389783/ - thank you Adam!

This bug report might be related to this patch, https://review.openstack.org/#/c/307352/ - is there something wrong we did in that code?

Patch https://review.openstack.org/#/c/389783/ closes the bug from the keystone side

Reviewed: https://review.openstack.org/389783
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=357bb561b8cf0f9d9cb62bf96f346e62f0122965
Submitter: Jenkins
Branch: master

commit 357bb561b8cf0f9d9cb62bf96f346e62f0122965
Author: Adam Young <email address hidden>
Date: Fri Oct 21 12:28:39 2016 -0400

    Create default role as a part of bootstrap

    Closes-Bug #1635306

    Change-Id: Ib9b7fd3695799766c91e2fbeaaa9015c575b2829

Reviewed: https://review.openstack.org/391678
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3609439599571a5919c4e1d328c1f06a8e4422c9
Submitter: Jenkins
Branch: stable/newton

commit 3609439599571a5919c4e1d328c1f06a8e4422c9
Author: Adam Young <email address hidden>
Date: Fri Oct 21 12:28:39 2016 -0400

    Create default role as a part of bootstrap

    Closes-Bug: #1635306

    cherry-picked from 357bb561b8cf0f9d9cb62bf96f346e62f0122965

    Change-Id: Ib9b7fd3695799766c91e2fbeaaa9015c575b2829

After creating a new installation based on Mitaka, I appear to see this as well. No _member_ role is created.

Is there any scope for back-porting the keystone fix to Mitaka?

This works in the last Newton deployment I did, the keystone patch is sufficient to help with this. Thanks again for the fix!

This issue was fixed in the openstack/keystone 10.0.1 release.

This was fixed in keystone and there is no action item for puppet-keystone.