Bug 1204866 - heat-keystone-setup-domain fails if domain already exists
Summary: heat-keystone-setup-domain fails if domain already exists
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-heat
Version: 6.0 (Juno)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 7.0 (Kilo)
Assignee: Zane Bitter
QA Contact: Amit Ugol
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-23 16:22 UTC by David Juran
Modified: 2016-05-05 13:26 UTC (History)
7 users (show)

Fixed In Version: openstack-heat-2015.1.1-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-05 13:26:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1470567 0 None None None 2016-05-05 13:18:30 UTC

Description David Juran 2015-03-23 16:22:53 UTC
Description of problem:
 heat-keystone-setup-domain  --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat

fail with the following traceback.

[root@rhos6-storage-1 ~(keystone_admin)]# heat-keystone-setup-domain  --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat
WARNING (heat-keystone-setup-domain:107) Domain heat already exists
WARNING (heat-keystone-setup-domain:131) User heat_admin already exists
Traceback (most recent call last):
  File "/usr/bin/heat-keystone-setup-domain", line 148, in <module>
    main()
  File "/usr/bin/heat-keystone-setup-domain", line 132, in main
    domain_admin = c.users.list(name=HEAT_DOMAIN_ADMIN)[0]
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 107, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 71, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 352, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 112, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 629, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 621, in _cs_request
    return self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 596, in request
    resp = super(HTTPClient, self).request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/baseclient.py", line 21, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 346, in request
    raise exceptions.from_response(resp, method, url)
keystoneclient.openstack.common.apiclient.exceptions.Unauthorized: The request you have made requires authentication. (HTTP 401)


This causes packstack to fail if it's re-run 
Version-Release number of selected component (if applicable):
openstack-heat-common-2014.2.2-1.el7ost.noarch
openstack-packstack-2014.2-0.16.dev1401.gdd19d48.el7ost.noarch

Comment 4 Zane Bitter 2015-03-23 16:33:18 UTC
I raised an upstream bug for this.

Comment 5 Ryan Brown 2015-03-24 18:33:28 UTC
This actually looks more like an authentication/permissions error. Is the user you're acting as authorized for the identity:list_users action? 

I haven't been able to repro this locally (using devstack, haven't tested with packstack yet).

Comment 6 David Juran 2015-03-25 13:32:42 UTC
heat-keystone-setup-domain was run from packstack

I do get a list of users from the "Default" domain by running

# OS_AUTH_URL=http://10.67.50.10:5000/v2.0/ OS_USERNAME=admin OS_PASSWORD=rh0s6 OS_TENANT_NAME=admin keystone user-list


Running the following command however, in the same environment generates a traceback:

# OS_AUTH_URL=http://10.67.50.10:5000/v2.0/ OS_USERNAME=admin OS_PASSWORD=rh0s6 OS_TENANT_NAME=admin heat-keystone-setup-domain  --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat


Not sure if this is relevant, but keystone has been configured to use multiple authentication domains

Comment 7 Ryan Brown 2015-03-25 14:21:00 UTC
Can you give me more information about the domains you have configured?

I think the problem is that your user has admin privileges, but not on that domain. You should be able to fix that by doing something like: openstack role add --domain heat --user heat_admin admin

Using Juno packstack I'm able to:

[root@localhost heat(keystone_admin)]# ./bin/heat-keystone-setup-domain  --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat

Please update your heat.conf with the following in [DEFAULT]

stack_user_domain_id=cf0dc553ba884d88ac834ad580d3ae16
stack_domain_admin=heat_admin
stack_domain_admin_password=rh0s6
[root@localhost heat(keystone_admin)]# ./bin/heat-keystone-setup-domain  --insecure --stack-domain-admin heat_admin --stack-domain-admin-password rh0s6 --stack-user-domain-name heat
WARNING (heat-keystone-setup-domain:107) Domain heat already exists
WARNING (heat-keystone-setup-domain:131) User heat_admin already exists

Please update your heat.conf with the following in [DEFAULT]

stack_user_domain_id=cf0dc553ba884d88ac834ad580d3ae16
stack_domain_admin=heat_admin
stack_domain_admin_password=rh0s6
[root@localhost heat(keystone_admin)]#

So re-running heat-keystone-setup-domain seems to work (for me).

Comment 8 Amit Ugol 2015-03-25 16:23:46 UTC
Unable to reproduce the specific error. It would be nice to know the original setup that was used in this case.

Comment 9 Zane Bitter 2015-03-27 13:39:09 UTC
Someone posted a fix upstream; it looks like the script was not looking at OS_TENANT_NAME, so that sounds consistent with what y'all have found here. David, do you think you could test with the patched script to confirm?

https://git.openstack.org/cgit/openstack/heat/plain/bin/heat-keystone-setup-domain?id=501ae172d05c58654bc0c988bc0277a866c235d9

Comment 10 David Juran 2015-03-31 14:04:26 UTC
Unfortunately (well not really, I'm going on vacation...) I don't have access to the environment where I saw this issue until the 20:th of April. When I'm back however, I'll try the patch

Comment 11 David Juran 2015-04-23 09:58:38 UTC
The patched script makes no difference but I have another idea of what's wrong.

In my openstack, I have several domains:

[root@rhos6-storage-1 ~(keystone_admin_v3)]# openstack domain list
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| ID                               | Name    | Enabled | Description                                                          |
+----------------------------------+---------+---------+----------------------------------------------------------------------+
| 05ec65dc11af4a478498d25172ba9388 | heat    | True    | Contains users and projects created by heat                          |
| 7b81af19744a4f22974f3213b0498c33 | CORP    | True    |                                                                      |
| c8afd7b1494242739f644f3929a73bd1 | ad      | False   | foo                                                                  |
| default                          | Default | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+---------+---------+----------------------------------------------------------------------+


As admin, I can list the users in all domains except the "ad" domain which is a legacy domain no longer in use. So is heat-keystone-setup-domain trying to list the users in all domains?

Comment 12 Rabi Mishra 2016-05-05 05:12:02 UTC
I think this has been fixed(by specifying the domain while listing users) with upstream bug[1] and patch[2] and backported[3] to stable/kilo.


[1] https://bugs.launchpad.net/heat/+bug/1470567
[2] https://review.openstack.org/#/c/197630/
[3] https://review.openstack.org/#/c/197638/

Comment 13 Zane Bitter 2016-05-05 13:26:24 UTC
That patch was included in the upstream 2015.1.1 stable release, so we already released it. Closing this bug.


Note You need to log in before you can comment on or make changes to this bug.