Bug 1329635 - [RFE] Keystone domains support
Summary: [RFE] Keystone domains support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers
Version: 5.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.5.5
Assignee: Ladislav Smola
QA Contact: Ola Pavlenko
URL:
Whiteboard: openstack
Depends On: 1228542 1244937
Blocks: 1247289
TreeView+ depends on / blocked
 
Reported: 2016-04-22 12:26 UTC by Chris Pelland
Modified: 2020-03-11 15:06 UTC (History)
15 users (show)

Fixed In Version: 5.5.5.0
Doc Type: Enhancement
Doc Text:
OpenStack Keystone API v3 supports domains as a high level container for projects. There was need for CloudForms to support this new feature, starting with a new "Domain" field in the OpenStack provider configuration in the GUI, and modifying all the methods related to OpenStack to login with the domain + user + password combination and the Keystone v3 endpoint. With this release, domain field is now enabled. User added to ManageIQ should be an admin of the domain to be able to list projects inside.
Clone Of: 1228542
Environment:
Last Closed: 2016-07-26 15:32:41 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2604351 None None None 2016-09-06 16:26:09 UTC
Red Hat Product Errata RHBA-2016:1488 normal SHIPPED_LIVE CFME 5.5.5 bug fixes and enhancement update 2016-07-26 19:28:27 UTC

Comment 1 Ladislav Smola 2016-04-22 14:30:25 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1329635

Comment 2 CFME Bot 2016-04-22 18:04:00 UTC
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c

commit ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c
Merge: c709cf5 4e13d10
Author:     Greg Blomquist <gblomqui@redhat.com>
AuthorDate: Fri Apr 22 13:38:42 2016 -0400
Commit:     Greg Blomquist <gblomqui@redhat.com>
CommitDate: Fri Apr 22 13:38:42 2016 -0400

    Merge branch 'bz1228542' into '5.5.z'
    
    Bz1228542
    
    OpenStack make Keystone V3 domain ID configurable
    
    OpenStack make Keystone V3 domain ID configurable
    
    Upstream PR:
    https://github.com/ManageIQ/manageiq/pull/8177
    
    Fixes BZ:
    https://bugzilla.redhat.com/show_bug.cgi?id=1329635
    
    Conflicts:
            app/assets/javascripts/controllers/ems_common/ems_common_form_controller.js
            app/controllers/mixins/ems_common_angular.rb
            gems/pending/openstack/openstack_handle/identity_delegate.rb
    
    Plus manually fixing specs and VCR for keystone v3
    
    See merge request !907

 .../ems_common/ems_common_form_controller.js       |   5 +-
 app/controllers/ems_cloud_controller.rb            |  48 ++-
 app/helpers/ems_cloud_helper/textual_summary.rb    |   8 +-
 .../manageiq/providers/openstack/manager_mixin.rb  |   2 +
 .../views/ems_common/angular/_form.html.haml       |  11 +
 gems/pending/openstack/openstack_handle/handle.rb  |  10 +-
 .../openstack_handle/identity_delegate.rb          |   4 +-
 .../spec/openstack/openstack_handle/handle_spec.rb |  10 +-
 .../openstack/cloud_manager/refresh_spec_common.rb |   2 +-
 .../cloud_manager/refresh_spec_helpers.rb          |  13 +-
 .../refresher_rhos_kilo_keystone_v3_spec.rb        |   2 +-
 .../refresher_rhos_kilo_keystone_v3.yml            | 386 ++++++++++-----------
 12 files changed, 271 insertions(+), 230 deletions(-)

Comment 5 Marius Cornea 2016-05-26 18:17:20 UTC
I'm setting an overcloud based on the docs @ https://www.rdoproject.org/documentation/domains/

Authentication validation works but refresh fails with the following error:

[----] E, [2016-05-26T14:07:34.413995 #3323:ebd994] ERROR -- : <Fog> excon.error     #<Excon::Errors::NotFound: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Thu, 26 May 2016 18:07:34 GMT"
    "Vary"                   => "X-Auth-Token"
    "X-Openstack-Request-Id" => "req-7f28ceb6-d84d-483d-8877-98c015354a5d"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.135"
  :local_port    => 48426
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
>


These are the overcloud keystone endpoints:

| keystone   | identity      | regionOne                               |
|            |               |   admin: http://192.168.0.15:35357/v2.0 |
|            |               | regionOne                               |
|            |               |   internal: http://10.0.0.11:5000/v2.0  |
|            |               | regionOne                               |
|            |               |   public: http://172.16.18.25:5000/v2.0 |
|            |               |                                         |
| keystonev3 | identityv3    | regionOne                               |
|            |               |   public: http://172.16.18.25:5000/v3   |
|            |               | regionOne                               |
|            |               |   admin: http://192.168.0.15:35357/v3   |
|            |               | regionOne                               |
|            |               |   internal: http://10.0.0.11:5000/v3    |
=======================================================================

Comment 6 Ladislav Smola 2016-05-27 07:27:34 UTC
I see that our tests have only one keystone endpoint in the catalog:

Service: identity
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |   http://10.8.99.245:35357/v3    |
|      id     | 1e17993dcd3247c9ad6788571d378ff1 |
| internalURL |    http://10.8.99.245:5000/v3    |
|  publicURL  |    http://10.8.99.245:5000/v3    |
|    region   |            RegionOne             |
+-------------+----------------------------------+

Seems like in your case fog-openstack gets confused and calls 
/v2.0/projects, instead of /v3/projects

Can you try to put there only one endpoint?

Comment 8 Udi 2016-05-31 18:47:09 UTC
In bug https://bugzilla.redhat.com/show_bug.cgi?id=1228542 I tried it with one endpoint (I deleted the v2 endpoints) and it still didn't work.

Comment 9 Ladislav Smola 2016-06-13 07:45:16 UTC
Udi please check with mcornea, we were able to test this. The additional BZs identified are https://bugzilla.redhat.com/show_bug.cgi?id=1341550 and https://bugzilla.redhat.com/show_bug.cgi?id=1340874

Please let me know if you identify more problems, turning this back to post.

Marius, can you also fill the BZ for the fog-openstack, when there are both keystone and keystonev3 endpoints present, as commented in comment #5?

Comment 10 Udi 2016-06-14 13:47:33 UTC
I tried together with mcornea, and it seems like there is a real problem. See comment #13 in https://bugzilla.redhat.com/show_bug.cgi?id=1228542.

Comment 12 Marius Cornea 2016-07-04 11:20:53 UTC
Tested on 5.5.5.0.20160628144838_629f93b, using the steps provided starting https://bugzilla.redhat.com/show_bug.cgi?id=1228542#c13

Credentials validation works but refresh fails with:

[----] E, [2016-07-04T07:17:19.215460 #15709:499990] ERROR -- : <Fog> excon.error     #<Excon::Error::NotFound: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Mon, 04 Jul 2016 11:17:19 GMT"
    "Server"                 => "Apache/2.4.6 (Red Hat Enterprise Linux)"
    "Vary"                   => "X-Auth-Token"
    "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.137"
  :local_port    => 52346
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
>

[----] E, [2016-07-04T07:17:19.215708 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Refresh failed
[----] E, [2016-07-04T07:17:19.215867 #15709:499990] ERROR -- : [Fog::Identity::OpenStack::NotFound]: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Mon, 04 Jul 2016 11:17:19 GMT"
    "Server"                 => "Apache/2.4.6 (Red Hat Enterprise Linux)"
    "Vary"                   => "X-Auth-Token"
    "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.137"
  :local_port    => 52346
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
  Method:[rescue in block in refresh]
[----] E, [2016-07-04T07:17:19.215934 #15709:499990] ERROR -- : /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/expects.rb:6:in `response_call'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/response_parser.rb:8:in `response_call'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:389:in `response'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:253:in `request'
/opt/rh/cfme-gemset/gems/fog-core-1.40.0/lib/fog/core/connection.rb:81:in `request'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/identity.rb:32:in `request'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/requests/identity_v3/list_projects.rb:14:in `list_projects'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/models/identity_v3/projects.rb:12:in `all'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:28:in `visible_tenants_v3'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:19:in `visible_tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:267:in `tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:275:in `accessible_tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:290:in `accessible_tenant_names'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:294:in `default_tenant_name'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:149:in `connect'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/manager_mixin.rb:55:in `connect'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:18:in `initialize'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `new'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `ems_inv_to_hashes'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresher.rb:6:in `parse_inventory'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:19:in `block in refresh'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `each'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `refresh'
/var/www/miq/vmdb/app/models/manageiq/providers/base_manager/refresher.rb:10:in `refresh'
/var/www/miq/vmdb/app/models/ems_refresh.rb:77:in `block in refresh'
/var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `each'
/var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `refresh'
/var/www/miq/vmdb/app/models/miq_queue.rb:345:in `block in deliver'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:89:in `block in timeout'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `block in catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:104:in `timeout'
/var/www/miq/vmdb/app/models/miq_queue.rb:341:in `deliver'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:106:in `deliver_queue_message'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:134:in `deliver_message'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:151:in `block in do_work'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `loop'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `do_work'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:334:in `block in do_work_loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `do_work_loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:153:in `run'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:128:in `start'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:29:in `start_worker'
/var/www/miq/vmdb/lib/workers/bin/worker.rb:2:in `<top (required)>'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `load'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `<top (required)>'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require_command!'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:90:in `runner'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:39:in `run_command!'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands.rb:17:in `<top (required)>'
/var/www/miq/vmdb/bin/rails:4:in `require'
/var/www/miq/vmdb/bin/rails:4:in `<main>'
[----] E, [2016-07-04T07:17:19.216015 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Unable to perform refresh for the following targets:
[----] E, [2016-07-04T07:17:19.216150 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh)  --- ManageIQ::Providers::Openstack::CloudManager [prov01] id [1]

Comment 13 Marius Cornea 2016-07-08 08:39:37 UTC
In order to get refresh to work I had to:

1. Create a v3 Keystone endpoint:

source overcloudrc
keystone service-create --name keystonev3 --type identityv3 --description "Keystone Identity Service v3"  
keystone endpoint-create --region regionOne --service keystonev3 --publicurl "http://172.16.18.25:5000/v3" --adminurl "http://192.168.0.17:35357/v3" --internalurl "http://10.0.0.10:5000/v3"

2. Assign the admin role to the domain admin for the project it has created:

openstack --os-identity-api-version 3 --os-auth-url http://172.16.18.25:5000/v3 --os-username cloud_admin --os-password password --os-domain-name admin_domain --os-user-domain-name admin_domain role add --project project01 --user adm1 admin

Comment 15 errata-xmlrpc 2016-07-26 15:32:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1488.html


Note You need to log in before you can comment on or make changes to this bug.