Description of problem: heat-keystone-setup-domain --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat fail with the following traceback. [root@rhos6-storage-1 ~(keystone_admin)]# heat-keystone-setup-domain --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat WARNING (heat-keystone-setup-domain:107) Domain heat already exists WARNING (heat-keystone-setup-domain:131) User heat_admin already exists Traceback (most recent call last): File "/usr/bin/heat-keystone-setup-domain", line 148, in <module> main() File "/usr/bin/heat-keystone-setup-domain", line 132, in main domain_admin = c.users.list(name=HEAT_DOMAIN_ADMIN)[0] File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 107, in list **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 71, in func return f(*args, **new_kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 352, in list self.collection_key) File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 112, in _list resp, body = self.client.get(url, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 629, in get return self._cs_request(url, 'GET', **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 621, in _cs_request return self.request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 596, in request resp = super(HTTPClient, self).request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line 21, in request return self.session.request(url, method, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 346, in request raise exceptions.from_response(resp, method, url) keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (HTTP 401) This causes packstack to fail if it's re-run Version-Release number of selected component (if applicable): openstack-heat-common-2014.2.2-1.el7ost.noarch openstack-packstack-2014.2-0.16.dev1401.gdd19d48.el7ost.noarch
I raised an upstream bug for this.
This actually looks more like an authentication/permissions error. Is the user you're acting as authorized for the identity:list_users action? I haven't been able to repro this locally (using devstack, haven't tested with packstack yet).
heat-keystone-setup-domain was run from packstack I do get a list of users from the "Default" domain by running # OS_AUTH_URL=http://10.67.50.10:5000/v2.0/ OS_USERNAME=admin OS_PASSWORD=rh0s6 OS_TENANT_NAME=admin keystone user-list Running the following command however, in the same environment generates a traceback: # OS_AUTH_URL=http://10.67.50.10:5000/v2.0/ OS_USERNAME=admin OS_PASSWORD=rh0s6 OS_TENANT_NAME=admin heat-keystone-setup-domain --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat Not sure if this is relevant, but keystone has been configured to use multiple authentication domains
Can you give me more information about the domains you have configured? I think the problem is that your user has admin privileges, but not on that domain. You should be able to fix that by doing something like: openstack role add --domain heat --user heat_admin admin Using Juno packstack I'm able to: [root@localhost heat(keystone_admin)]# ./bin/heat-keystone-setup-domain --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat Please update your heat.conf with the following in [DEFAULT] stack_user_domain_id=cf0dc553ba884d88ac834ad580d3ae16 stack_domain_admin=heat_admin stack_domain_admin_password=rh0s6 [root@localhost heat(keystone_admin)]# ./bin/heat-keystone-setup-domain --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat WARNING (heat-keystone-setup-domain:107) Domain heat already exists WARNING (heat-keystone-setup-domain:131) User heat_admin already exists Please update your heat.conf with the following in [DEFAULT] stack_user_domain_id=cf0dc553ba884d88ac834ad580d3ae16 stack_domain_admin=heat_admin stack_domain_admin_password=rh0s6 [root@localhost heat(keystone_admin)]# So re-running heat-keystone-setup-domain seems to work (for me).
Unable to reproduce the specific error. It would be nice to know the original setup that was used in this case.
Someone posted a fix upstream; it looks like the script was not looking at OS_TENANT_NAME, so that sounds consistent with what y'all have found here. David, do you think you could test with the patched script to confirm? https://git.openstack.org/cgit/openstack/heat/plain/bin/heat-keystone-setup-domain?id=501ae172d05c58654bc0c988bc0277a866c235d9
Unfortunately (well not really, I'm going on vacation...) I don't have access to the environment where I saw this issue until the 20:th of April. When I'm back however, I'll try the patch
The patched script makes no difference but I have another idea of what's wrong. In my openstack, I have several domains: [root@rhos6-storage-1 ~(keystone_admin_v3)]# openstack domain list +----------------------------------+---------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+---------+---------+----------------------------------------------------------------------+ | 05ec65dc11af4a478498d25172ba9388 | heat | True | Contains users and projects created by heat | | 7b81af19744a4f22974f3213b0498c33 | CORP | True | | | c8afd7b1494242739f644f3929a73bd1 | ad | False | foo | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+---------+---------+----------------------------------------------------------------------+ As admin, I can list the users in all domains except the "ad" domain which is a legacy domain no longer in use. So is heat-keystone-setup-domain trying to list the users in all domains?
I think this has been fixed(by specifying the domain while listing users) with upstream bug[1] and patch[2] and backported[3] to stable/kilo. [1] https://bugs.launchpad.net/heat/+bug/1470567 [2] https://review.openstack.org/#/c/197630/ [3] https://review.openstack.org/#/c/197638/
That patch was included in the upstream 2015.1.1 stable release, so we already released it. Closing this bug.