Bug 1469293

Summary: OSP: admin user can't access projects in different domains
Product: Red Hat CloudForms Management Engine Reporter: Jeff Warnica <jwarnica>
Component: ProvidersAssignee: Marek Aufart <maufart>
Status: CLOSED NOTABUG QA Contact: Ola Pavlenko <opavlenk>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5.8.0CC: dberger, gblomqui, jfrey, jhardy, obarenbo, okolisny, tzumainn
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: openstack
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-22 10:49:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Openstack Target Upstream Version:
Embargoed:

Description Jeff Warnica 2017-07-10 21:36:09 UTC
When configuring a OSP provider with keystone v3, with a properly configure "admin" user in the "Default" domain, it fails to refresh content from other domains.

This is case 3 of https://github.com/ManageIQ/manageiq/issues/13236
 

putting fog.log into DEBUG, some examples:

FAILURE EXAMPLE 1:

[----] D, [2017-07-10T17:03:47.953859 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"Spirent_NFV\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] E, [2017-07-10T17:03:48.002882 #19855:84b138] ERROR -- : excon.error     #<Excon::Error::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.

FAILURE EXAMPLE 2:
[----] D, [2017-07-10T17:03:49.073050 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"VDSI_VNF_ONBOARDING_TESTI
NG\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] E, [2017-07-10T17:03:49.112364 #19855:84b138] ERROR -- : excon.error     #<Excon::Error::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The request you have made requires authentication.\", \"code\": 401, \"title\": \"Unauthorized\"}}"
  :cookies       => [
  ]
  :headers       => {


SUCCESS EXAMPLE 1:


[----] D, [2017-07-10T17:03:49.119872 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"admin\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] D, [2017-07-10T17:03:49.312940 #19855:84b138] DEBUG -- : excon.response  
{:status=>201,
 :headers=>
  {"X-Subject-Token"=>"fc8b698ca55a4e55a1d3f15d18e5c1a9",
   "Vary"=>"X-Auth-Token",
   "Content-Type"=>"application/json",
   "Content-Length"=>"6586",

......

Comment 2 Marek Aufart 2017-08-15 15:15:25 UTC
This should work as implemented "The provider you are creating will be able to see projects for the given domain only. To see projects for other domains, add it as another cloud provider." [1]

If we need change the behaviour to make inventory/projects visible for all domains, we can discuss it as a RFE (similar to Openstack discovery).

[1] http://manageiq.org/docs/reference/latest/doc-Managing_Providers/miq/#adding_openstack_cloud_providers

Comment 3 Marek Aufart 2017-09-22 10:49:58 UTC
Closing not a bug since described in Comment #2. Open RFE if the solution is not acceptable.