After newton deployment _member_ role is missing in keystone

Bug #1635306 reported by Luca Lorenzetto on 2016-10-20
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Adam Young
Newton
High
Adam Young
puppet-keystone
Undecided
Unassigned
tripleo
High
Unassigned

Bug Description

I did a full deployment using RDO Newton and at the end of deployment i see _member_ role is missing.

[stack@topstrio1101 ~]$ openstack role list
+----------------------------------+-----------------+
| ID | Name |
+----------------------------------+-----------------+
| 023e0f4fc56a47f7bada5fd512bab014 | swiftoperator |
| 48e4519e09b4469bbbf5c533830d3ad8 | heat_stack_user |
| 52be634093e14ea7a1acdf3f5ec12066 | admin |
| a1f8e6636dc842d8a896a3e903298997 | ResellerAdmin |
+----------------------------------+-----------------+

In Mitaka _member_ role has been created correctly.

Julie Pichon (jpichon) wrote :

I can confirm I see the same problem on my overcloud. This is causing issues e.g. when using Horizon and trying to manage projects, as every command fails with "Error: Could not find default role "_member_" in Keystone."

Changed in tripleo:
status: New → Triaged
importance: Undecided → High
tags: added: newton-backport-potential
Changed in tripleo:
milestone: none → ocata-1

Consider that puppet-keystone does no more manage _member_ role since release 5.0.0 because should be created automatically.

Ref: https://github.com/openstack/puppet-keystone/blob/17675623f357dd52a72a44494a3023d7c361133c/CHANGELOG.md#L190

Julie Pichon (jpichon) wrote :

Indeed, not sure what changed during the Newton cycle?

The workaround for now is to create a role named "_member_", which can still be done from Horizon as well.

Julie Pichon (jpichon) wrote :

Here's the commit about puppet no longer creating/checking for the _member_ role that Luca mentions: https://github.com/openstack/puppet-keystone/commit/db8339e6be7f0bb29e7e2e95e0afa04f47cd2003 (2014)

Julie Pichon (jpichon) wrote :

Some additional information:

1. There used to be a fix that created the role automatically on user creation
https://github.com/openstack/puppet-keystone/commit/1b8010

2. That fix was removed in Sept 2015
https://github.com/openstack/puppet-keystone/commit/8461e9

which means it wasn't there in Mitaka either. It's difficult to say if Keystone, puppet-keystone, some other puppet rule were still creating the role until recently.

The easiest fix for now may be to revert/bring back https://github.com/openstack/puppet-keystone/commit/db8339 , since Horizon still requires the role existing to be fully functional.

Thomas Herve (therve) wrote :

Does horizon really require that role? It seems there is OPENSTACK_KEYSTONE_DEFAULT_ROLE setting that we can change to the correct role (I suspect Member?).

Il 20 ott 2016 6:20 PM, "Thomas Herve" <email address hidden> ha
scritto:
>
> Does horizon really require that role? It seems there is
> OPENSTACK_KEYSTONE_DEFAULT_ROLE setting that we can change to the
> correct role (I suspect Member?).
>

This is not only a problem about Horizon. There is no member role at all.
Keystone additionally by default needs _member_ as default member role

Nathan Kinder (nkinder) wrote :

Keystone will automatically create the _member_ role (or whatever role name/id is configured in keystone.conf) when a user is added to a project if the role doesn't exist already:

  https://github.com/openstack/keystone/blob/master/keystone/assignment/core.py#L166-L173

The method that this code is a part of is only used by the v2 User class in identity/controller.py:

  https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L33

I suspect that we are only using the v3 API during deployment now, which means that the _member_ role will not be automatically created by Keystone. We should have puppet create the _member_ role.

Adam Young (ayoung) wrote :

So _member_ was a work around for Horizon creating and using Member years ago. We need a way to port projects with direct user ownership to everything using assignments, and this was the transition piece.

I suspect that the Tripleo install not using the V2 API no longer creates the _member_ role as a side effect.

We cannot just blindly create the role, as the API does not allow us to specify a role_id. THaw would lead to a regression of : https://bugzilla.redhat.com/show_bug.cgi?id=1129760#c8

Adam Young (ayoung) wrote :

I think the best option is going to be a modification of the bootstrap code to create the role.

Julie Pichon (jpichon) wrote :

Thanks everyone for the additional information!

Adam, would it be possible to clarify which bootstrap code you are talking about?

Julie Pichon (jpichon) wrote :

Patch at https://review.openstack.org/#/c/389783/ - thank you Adam!

Emilien Macchi (emilienm) wrote :

This bug report might be related to this patch, https://review.openstack.org/#/c/307352/ - is there something wrong we did in that code?

Steve Martinelli (stevemar) wrote :

Patch https://review.openstack.org/#/c/389783/ closes the bug from the keystone side

Changed in keystone:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Adam Young (ayoung)
milestone: none → ocata-1

Reviewed: https://review.openstack.org/389783
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=357bb561b8cf0f9d9cb62bf96f346e62f0122965
Submitter: Jenkins
Branch: master

commit 357bb561b8cf0f9d9cb62bf96f346e62f0122965
Author: Adam Young <email address hidden>
Date: Fri Oct 21 12:28:39 2016 -0400

    Create default role as a part of bootstrap

    Closes-Bug #1635306

    Change-Id: Ib9b7fd3695799766c91e2fbeaaa9015c575b2829

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/391678
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3609439599571a5919c4e1d328c1f06a8e4422c9
Submitter: Jenkins
Branch: stable/newton

commit 3609439599571a5919c4e1d328c1f06a8e4422c9
Author: Adam Young <email address hidden>
Date: Fri Oct 21 12:28:39 2016 -0400

    Create default role as a part of bootstrap

    Closes-Bug: #1635306

    cherry-picked from 357bb561b8cf0f9d9cb62bf96f346e62f0122965

    Change-Id: Ib9b7fd3695799766c91e2fbeaaa9015c575b2829

jcat (jcat) wrote :

After creating a new installation based on Mitaka, I appear to see this as well. No _member_ role is created.

Is there any scope for back-porting the keystone fix to Mitaka?

Steven Hardy (shardy) on 2016-11-11
Changed in tripleo:
milestone: ocata-1 → ocata-2
Julie Pichon (jpichon) wrote :

This works in the last Newton deployment I did, the keystone patch is sufficient to help with this. Thanks again for the fix!

Changed in tripleo:
status: Triaged → Invalid

This issue was fixed in the openstack/keystone 10.0.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.