Bug 1258009 - Openstack cloud provider is only showing the admin tenant [NEEDINFO]
Openstack cloud provider is only showing the admin tenant
Status: CLOSED NOTABUG
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers (Show other bugs)
5.4.0
Unspecified Unspecified
high Severity high
: GA
: 5.6.0
Assigned To: Tzu-Mainn Chen
Marius Cornea
: Reopened
Depends On:
Blocks: 1259800 1290178
  Show dependency treegraph
 
Reported: 2015-08-28 11:39 EDT by Marius Cornea
Modified: 2017-09-06 00:50 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1259800 1290178 (view as bug list)
Environment:
Last Closed: 2017-05-05 09:21:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
gblomqui: needinfo? (jhardy)
tzumainn: needinfo? (srathee)


Attachments (Terms of Use)

  None (edit)
Description Marius Cornea 2015-08-28 11:39:22 EDT
Description of problem:
An Openstack cloud provider is only showing the admin tenant. 

Version-Release number of selected component (if applicable):
5.4.2.0.20150820153254_83e434d

How reproducible:
100%

Steps to Reproduce:
1. Add Openstack cloud provider with multiple tenants
2. Check the tenants in the Cloud tenants tab
3.

Actual results:
Only admin is showing.

Expected results:
All the exiting tenant would show up.

Additional info:

This is the output of the keystone command:

[stack@bldr16cc09 ~]$ keystone tenant-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 204aca6abccd40a7a2311ed4309199f5 |  admin   |   True  |
| a980edf1b76a44df9de971b941968a85 |  marius  |   True  |
| 01ccd8fa666d41dd8509d0447cca2d0b | service  |   True  |
| 2085d07f1741489680dd8dc047749b8d | services |   True  |
+----------------------------------+----------+---------+
Comment 2 Marius Cornea 2015-09-29 13:29:51 EDT
It looks that the admin user also needs to have the admin role assigned for all the other existing tenants in order for the tenants to show up. 

I'm not sure if this is the expected behavior but I believe the admin user should have full visibility when listing the cloud tenants.
Comment 3 Greg Blomquist 2015-10-12 14:30:31 EDT
CloudForms only lists the tenants where the OpenStack user has privileges to collect inventory.  It doesn't list all the tenants that are in OpenStack.

I believe that an admin user can list all of the tenant names.  But, that doesn't always give the admin user access to collect inventory from those tenants.

John,

should we change this behavior?  Should we list all of the tenants even if we can't collect inventory for some tenants?  If so, we'll have to come up with a notion to indicate that the tenant is not enabled for inventory in CloudForms.
Comment 6 Ladislav Smola 2015-11-19 05:02:33 EST
I think requirement right now is to use admin role. With latest patches, refresh should work for _member_ too. But it's the requirement for listing them.

Btw. we currently don't use the all-tenants option, we will be switching to that. I understood there were issues with it in some older OpenStack versions.
Comment 7 Ladislav Smola 2015-11-19 05:04:25 EST
Also for showing tenants, it's the same condition as in Horizon, it also shows only tenants you have role for. That means you can scope you token with that tenant.

I would probably close this as not a bug
Comment 8 Greg Blomquist 2016-02-08 10:52:51 EST
The problem with this is that not all OpenStack services support the "all-tenants" option.  This results in trying to get data across all tenants from *some* services and not being able to get data across all tenants from the remaining services.

We actually used to use the "all-tenants" option for nova and assumed that we could get all data from all tenants by using an OpenStack Admin user.  However, this resulted in several 403-Forbidden errors from the OpenStack API.

It looks like the solution here was to add the Admin user to all of the tenants in order to collect those tenants.  And, as it stands today, that's the current required configuration for CFME to collect data from different tenants in OpenStack.

I'm closing this as notabug.  If I get different feedback from PM on this, then we can reopen as an RFE to change this behavior.

Note You need to log in before you can comment on or make changes to this bug.