Authentication failed with keystone-middleware 4.2.0

Bug #1539670 reported by David TARDIVEL on 2016-01-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
watcher
Critical
Taylor Peoples

Bug Description

Token verification fails in Watcher API Service.
Watcher Decision Engine and Applier can no more instantiate OS module client (nova, ceilometer, ....) due to Authentication failure.

Watcher shall use auth_plugin feature.

Changed in watcher:
assignee: nobody → Taylor Peoples (tpeoples)
status: Confirmed → In Progress
milestone: none → mitaka-3

Reviewed: https://review.openstack.org/270039
Committed: https://git.openstack.org/cgit/openstack/watcher/commit/?id=9a6811ae6bd07580d2e485b6312821919451dfa4
Submitter: Jenkins
Branch: master

commit 9a6811ae6bd07580d2e485b6312821919451dfa4
Author: Taylor Peoples <email address hidden>
Date: Wed Jan 20 08:15:47 2016 +0100

    Create OpenStackClients convenience class

    The OpenStackClients class provides a convenient way to create and
    cache client instances. The idea behind this code comes from Magnum
    [0].

    The OpenStackClients class will act as the manager of other project's
    clients, providing an easy way to fetch instances of said clients. This
    will allow the clients to be cached.

    An instance of OpenStackClients is created for every call that comes
    into the decision engine and the applier, using the request context to
    pass needed (domain id) parameters to get a Keystone session. This
    instance should be shared as much as possible to avoid additional
    unneccessary connections to the other services.

    This class will also allow for the version of each client to be
    configurable via the watcher.conf file.

    The method by which a Keystone session is also changed to use the
    keystoneauth1.loading library. In order to avoid DuplicateOptErrors
    with the keystone_authtoken group used for the keystonemiddleware in the
    API code, a new conf group named "watcher_clients_auth" is created. A
    typical configuration using a password authentication scheme will look
    like:
      [watcher_clients_auth]
      auth_type = password
      auth_url = http://<server-ip>:<port>
      username = <username>
      password = <password>
      project_domain_id = default
      user_domain_id = default

    [0]: https://github.com/openstack/magnum/blob/master/magnum/common/clients.py

    DocImpact
    Change-Id: Iab9d0b304099686da2e9e2b19e8b1de4332ff378
    Implements: blueprint external-api-versioning
    Closes-Bug: #1530790
    Closes-Bug: #1539670
    Closes-Bug: #1522774

Changed in watcher:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers