Bug 1329635
| Summary: | [RFE] Keystone domains support | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Chris Pelland <cpelland> |
| Component: | Providers | Assignee: | Ladislav Smola <lsmola> |
| Status: | CLOSED ERRATA | QA Contact: | Ola Pavlenko <opavlenk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.4.0 | CC: | cpelland, dajohnso, dclarizi, eminguez, gblomqui, jfrey, jhardy, jprause, lsmola, mcornea, mfeifer, obarenbo, pneedle, ssainkar, ukalifon |
| Target Milestone: | GA | Keywords: | FutureFeature, ZStream |
| Target Release: | 5.5.5 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | openstack | ||
| Fixed In Version: | 5.5.5.0 | Doc Type: | Enhancement |
| Doc Text: |
OpenStack Keystone API v3 supports domains as a high level container for projects.
There was need for CloudForms to support this new feature, starting with a new "Domain" field in the OpenStack provider configuration in the GUI, and modifying all the methods related to OpenStack to login with the domain + user + password combination and the Keystone v3 endpoint.
With this release, domain field is now enabled. User added to ManageIQ should be an admin of the domain to be able to list projects inside.
|
Story Points: | --- |
| Clone Of: | 1228542 | Environment: | |
| Last Closed: | 2016-07-26 15:32:41 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1228542, 1244937 | ||
| Bug Blocks: | 1247289 | ||
|
Comment 1
Ladislav Smola
2016-04-22 14:30:25 UTC
New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c commit ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c Merge: c709cf5 4e13d10 Author: Greg Blomquist <gblomqui> AuthorDate: Fri Apr 22 13:38:42 2016 -0400 Commit: Greg Blomquist <gblomqui> CommitDate: Fri Apr 22 13:38:42 2016 -0400 Merge branch 'bz1228542' into '5.5.z' Bz1228542 OpenStack make Keystone V3 domain ID configurable OpenStack make Keystone V3 domain ID configurable Upstream PR: https://github.com/ManageIQ/manageiq/pull/8177 Fixes BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1329635 Conflicts: app/assets/javascripts/controllers/ems_common/ems_common_form_controller.js app/controllers/mixins/ems_common_angular.rb gems/pending/openstack/openstack_handle/identity_delegate.rb Plus manually fixing specs and VCR for keystone v3 See merge request !907 .../ems_common/ems_common_form_controller.js | 5 +- app/controllers/ems_cloud_controller.rb | 48 ++- app/helpers/ems_cloud_helper/textual_summary.rb | 8 +- .../manageiq/providers/openstack/manager_mixin.rb | 2 + .../views/ems_common/angular/_form.html.haml | 11 + gems/pending/openstack/openstack_handle/handle.rb | 10 +- .../openstack_handle/identity_delegate.rb | 4 +- .../spec/openstack/openstack_handle/handle_spec.rb | 10 +- .../openstack/cloud_manager/refresh_spec_common.rb | 2 +- .../cloud_manager/refresh_spec_helpers.rb | 13 +- .../refresher_rhos_kilo_keystone_v3_spec.rb | 2 +- .../refresher_rhos_kilo_keystone_v3.yml | 386 ++++++++++----------- 12 files changed, 271 insertions(+), 230 deletions(-) I'm setting an overcloud based on the docs @ https://www.rdoproject.org/documentation/domains/ Authentication validation works but refresh fails with the following error: [----] E, [2016-05-26T14:07:34.413995 #3323:ebd994] ERROR -- : <Fog> excon.error #<Excon::Errors::NotFound: Expected([200]) <=> Actual(404 Not Found) excon.error.response :body => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}" :cookies => [ ] :headers => { "Content-Length" => "93" "Content-Type" => "application/json" "Date" => "Thu, 26 May 2016 18:07:34 GMT" "Vary" => "X-Auth-Token" "X-Openstack-Request-Id" => "req-7f28ceb6-d84d-483d-8877-98c015354a5d" } :host => "172.16.18.25" :local_address => "172.16.17.135" :local_port => 48426 :path => "/v2.0/projects" :port => 5000 :reason_phrase => "Not Found" :remote_ip => "172.16.18.25" :status => 404 :status_line => "HTTP/1.1 404 Not Found\r\n" > These are the overcloud keystone endpoints: | keystone | identity | regionOne | | | | admin: http://192.168.0.15:35357/v2.0 | | | | regionOne | | | | internal: http://10.0.0.11:5000/v2.0 | | | | regionOne | | | | public: http://172.16.18.25:5000/v2.0 | | | | | | keystonev3 | identityv3 | regionOne | | | | public: http://172.16.18.25:5000/v3 | | | | regionOne | | | | admin: http://192.168.0.15:35357/v3 | | | | regionOne | | | | internal: http://10.0.0.11:5000/v3 | ======================================================================= I see that our tests have only one keystone endpoint in the catalog: Service: identity +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminURL | http://10.8.99.245:35357/v3 | | id | 1e17993dcd3247c9ad6788571d378ff1 | | internalURL | http://10.8.99.245:5000/v3 | | publicURL | http://10.8.99.245:5000/v3 | | region | RegionOne | +-------------+----------------------------------+ Seems like in your case fog-openstack gets confused and calls /v2.0/projects, instead of /v3/projects Can you try to put there only one endpoint? In bug https://bugzilla.redhat.com/show_bug.cgi?id=1228542 I tried it with one endpoint (I deleted the v2 endpoints) and it still didn't work. Udi please check with mcornea, we were able to test this. The additional BZs identified are https://bugzilla.redhat.com/show_bug.cgi?id=1341550 and https://bugzilla.redhat.com/show_bug.cgi?id=1340874 Please let me know if you identify more problems, turning this back to post. Marius, can you also fill the BZ for the fog-openstack, when there are both keystone and keystonev3 endpoints present, as commented in comment #5? I tried together with mcornea, and it seems like there is a real problem. See comment #13 in https://bugzilla.redhat.com/show_bug.cgi?id=1228542. Tested on 5.5.5.0.20160628144838_629f93b, using the steps provided starting https://bugzilla.redhat.com/show_bug.cgi?id=1228542#c13 Credentials validation works but refresh fails with: [----] E, [2016-07-04T07:17:19.215460 #15709:499990] ERROR -- : <Fog> excon.error #<Excon::Error::NotFound: Expected([200]) <=> Actual(404 Not Found) excon.error.response :body => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}" :cookies => [ ] :headers => { "Content-Length" => "93" "Content-Type" => "application/json" "Date" => "Mon, 04 Jul 2016 11:17:19 GMT" "Server" => "Apache/2.4.6 (Red Hat Enterprise Linux)" "Vary" => "X-Auth-Token" "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983" } :host => "172.16.18.25" :local_address => "172.16.17.137" :local_port => 52346 :path => "/v2.0/projects" :port => 5000 :reason_phrase => "Not Found" :remote_ip => "172.16.18.25" :status => 404 :status_line => "HTTP/1.1 404 Not Found\r\n" > [----] E, [2016-07-04T07:17:19.215708 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Refresh failed [----] E, [2016-07-04T07:17:19.215867 #15709:499990] ERROR -- : [Fog::Identity::OpenStack::NotFound]: Expected([200]) <=> Actual(404 Not Found) excon.error.response :body => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}" :cookies => [ ] :headers => { "Content-Length" => "93" "Content-Type" => "application/json" "Date" => "Mon, 04 Jul 2016 11:17:19 GMT" "Server" => "Apache/2.4.6 (Red Hat Enterprise Linux)" "Vary" => "X-Auth-Token" "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983" } :host => "172.16.18.25" :local_address => "172.16.17.137" :local_port => 52346 :path => "/v2.0/projects" :port => 5000 :reason_phrase => "Not Found" :remote_ip => "172.16.18.25" :status => 404 :status_line => "HTTP/1.1 404 Not Found\r\n" Method:[rescue in block in refresh] [----] E, [2016-07-04T07:17:19.215934 #15709:499990] ERROR -- : /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/expects.rb:6:in `response_call' /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/response_parser.rb:8:in `response_call' /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:389:in `response' /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:253:in `request' /opt/rh/cfme-gemset/gems/fog-core-1.40.0/lib/fog/core/connection.rb:81:in `request' /opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/identity.rb:32:in `request' /opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/requests/identity_v3/list_projects.rb:14:in `list_projects' /opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/models/identity_v3/projects.rb:12:in `all' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:28:in `visible_tenants_v3' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:19:in `visible_tenants' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:267:in `tenants' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:275:in `accessible_tenants' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:290:in `accessible_tenant_names' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:294:in `default_tenant_name' /var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:149:in `connect' /var/www/miq/vmdb/app/models/manageiq/providers/openstack/manager_mixin.rb:55:in `connect' /var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:18:in `initialize' /var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `new' /var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `ems_inv_to_hashes' /var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresher.rb:6:in `parse_inventory' /var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:19:in `block in refresh' /var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `each' /var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `refresh' /var/www/miq/vmdb/app/models/manageiq/providers/base_manager/refresher.rb:10:in `refresh' /var/www/miq/vmdb/app/models/ems_refresh.rb:77:in `block in refresh' /var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `each' /var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `refresh' /var/www/miq/vmdb/app/models/miq_queue.rb:345:in `block in deliver' /opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:89:in `block in timeout' /opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `block in catch' /opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch' /opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch' /opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:104:in `timeout' /var/www/miq/vmdb/app/models/miq_queue.rb:341:in `deliver' /var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:106:in `deliver_queue_message' /var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:134:in `deliver_message' /var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:151:in `block in do_work' /var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `loop' /var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `do_work' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:334:in `block in do_work_loop' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `loop' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `do_work_loop' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:153:in `run' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:128:in `start' /var/www/miq/vmdb/app/models/miq_worker/runner.rb:29:in `start_worker' /var/www/miq/vmdb/lib/workers/bin/worker.rb:2:in `<top (required)>' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `load' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `<top (required)>' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require_command!' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:90:in `runner' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:39:in `run_command!' /opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands.rb:17:in `<top (required)>' /var/www/miq/vmdb/bin/rails:4:in `require' /var/www/miq/vmdb/bin/rails:4:in `<main>' [----] E, [2016-07-04T07:17:19.216015 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Unable to perform refresh for the following targets: [----] E, [2016-07-04T07:17:19.216150 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) --- ManageIQ::Providers::Openstack::CloudManager [prov01] id [1] In order to get refresh to work I had to: 1. Create a v3 Keystone endpoint: source overcloudrc keystone service-create --name keystonev3 --type identityv3 --description "Keystone Identity Service v3" keystone endpoint-create --region regionOne --service keystonev3 --publicurl "http://172.16.18.25:5000/v3" --adminurl "http://192.168.0.17:35357/v3" --internalurl "http://10.0.0.10:5000/v3" 2. Assign the admin role to the domain admin for the project it has created: openstack --os-identity-api-version 3 --os-auth-url http://172.16.18.25:5000/v3 --os-username cloud_admin --os-password password --os-domain-name admin_domain --os-user-domain-name admin_domain role add --project project01 --user adm1 admin Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1488.html |