Bug 1508904

Summary: Keystone roles for Octavia is not created after deployment or for new tenants
Product: Red Hat OpenStack Reporter: Alexander Stafeyev <astafeye>
Component: puppet-octaviaAssignee: Brent Eagles <beagles>
Status: CLOSED WONTFIX QA Contact: Alexander Stafeyev <astafeye>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: amuller, astafeye, bcafarel, beagles, cgoncalves, jlibosva, nmanos
Target Milestone: rcKeywords: Reopened, Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-octavia-12.4.0-0.20180329041637.3bc0f6b.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-13 16:40:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1433523, 1533563    

Description Alexander Stafeyev 2017-11-02 13:28:12 UTC 
Description of problem:
Octavia roles are not created . Failed running tests. 

ERROR: setUpClass (octavia_tempest_plugin.tests.v2.scenario.test_basic_ops.BasicOpsTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "tempest/test.py", line 172, in setUpClass
    six.reraise(etype, value, trace)
  File "tempest/test.py", line 157, in setUpClass
    cls.setup_credentials()
  File "tempest/test.py", line 401, in setup_credentials
    force_new=True)
  File "tempest/test.py", line 670, in get_client_manager
    creds = cred_provider.get_creds_by_roles(**params)
  File "tempest/lib/common/dynamic_creds.py", line 373, in get_creds_by_roles
    return self.get_credentials(roles)
  File "tempest/lib/common/dynamic_creds.py", line 338, in get_credentials
    credentials = self._create_creds(roles=credential_type)
  File "tempest/lib/common/dynamic_creds.py", line 203, in _create_creds
    self.creds_client.assign_user_role(user, project, role)
  File "tempest/lib/common/cred_client.py", line 76, in assign_user_role
    raise lib_exc.NotFound(msg)
tempest.lib.exceptions.NotFound: Object not found
Details: No "load-balancer_member" role found



How reproducible:
100%

Steps to Reproduce:
1. Create tempest docker - https://github.com/itzikb/docker-tempest
2. clone octavia plugin https://github.com/openstack/octavia-tempest-plugin.git
3. Cherry pick the plugin patch - git fetch https://git.openstack.org/openstack/octavia-tempest-plugin refs/changes/75/486775/39 && git checkout FETCH_HEAD 
4. pip install -e . from plugin dir, to install plugin. 
5. try to run Octavia test. 

Actual results:
Details: No "load-balancer_member" role found

Expected results:
The test should run 

Additional info:
Work around : 

0. from stack machine: a- . overcloudrc , b-  openstack role create load-balancer_member , c- openstack role add --user demo --project demo load-balancer_member 
1. int the plugin dir - pip install -e .
2. Run test
Comment 1 Martin Kopec 2017-11-30 11:16:05 UTC 
python-tempestconf doesn't create roles, it mostly scans the environment and generates tempest.conf based on the cloud.

Personally I like the idea, I'd like to implement it. It will be discussed and maybe it will be part of the ongoing refactoring process, but for now, it's not a bug.

I'd say the role should be created by the test, as it's a required resource, and cleaned afterwards.
Comment 4 Nir Magnezi 2017-12-13 12:52:42 UTC 
As a follow up to our IRC discussion, this should be done by the deployer.
Moving to Brent.
Comment 5 Nir Magnezi 2017-12-13 12:53:04 UTC 
Mail, not IRC. Sorry.
Comment 7 Carlos Goncalves 2018-03-20 16:43:10 UTC 
A workaround patch in Infrared has been proposed: https://review.gerrithub.io/#/c/404354/
Comment 9 Nir Magnezi 2018-03-21 13:00:15 UTC 
The patch in comment #7 is actually a workaround done in infrared (CI tool we use to invoke TripleO), whereas the fix should be a part of TripleO itself. Thus, moving back to assigned.



Brent, will you have time to get to this soon?
Comment 10 Nir Magnezi 2018-04-08 11:30:37 UTC 
*** Bug 1560279 has been marked as a duplicate of this bug. ***
Comment 11 Nir Magnezi 2018-04-16 08:53:24 UTC 
Brent,
If we can't get cycles upstream for a review to https://review.openstack.org/#/c/561347 , maybe we should backport downstream?

I can help with the backport, but I would like to run it by you first.
Comment 13 Carlos Goncalves 2018-04-16 14:12:22 UTC 
https://review.openstack.org/#/c/560083/ is also required.
Comment 14 Nir Magnezi 2018-04-16 14:17:10 UTC 
(In reply to Carlos Goncalves from comment #13)
> https://review.openstack.org/#/c/560083/ is also required.

since this fix is a part of tripleo-heat-templates (not puppet-octavia), it should be under a different rhbz.
Comment 21 Nir Magnezi 2018-05-13 16:40:55 UTC 
Eventually, for OSP13 we are going to fix this with policy.json in packaging.
See bug 1577635.
Comment 22 Noam Manos 2018-05-16 12:35:08 UTC 
Running octavia tempest tests, after first workaround, still returns:
No "load-balancer_admin" role found

So the updated workaround is:

(overcloud) [stack@undercloud-0]$

openstack role list | grep -q load-balancer_member || openstack role create load-balancer_member
openstack role add --user demo --project demo load-balancer_member
openstack role assignment list --names
openstack role list | grep -q load-balancer_admin || openstack role create load-balancer_admin
openstack role add --user demo --project demo load-balancer_admin
openstack role assignment list --names | awk 'NR<4 || /load-balancer/'