1329635 – [RFE] Keystone domains support

Bug 1329635 - [RFE] Keystone domains support

Summary: [RFE] Keystone domains support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Providers
Sub Component:
Version:	5.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.5.5
Assignee:	Ladislav Smola
QA Contact:	Ola Pavlenko
Docs Contact:
URL:
Whiteboard:	openstack
Depends On:	1228542 1244937
Blocks:	1247289
TreeView+	depends on / blocked

Reported:	2016-04-22 12:26 UTC by Chris Pelland
Modified:	2020-03-11 15:06 UTC (History)
CC List:	15 users (show)
Fixed In Version:	5.5.5.0
Doc Type:	Enhancement
Doc Text:	OpenStack Keystone API v3 supports domains as a high level container for projects. There was need for CloudForms to support this new feature, starting with a new "Domain" field in the OpenStack provider configuration in the GUI, and modifying all the methods related to OpenStack to login with the domain + user + password combination and the Keystone v3 endpoint. With this release, domain field is now enabled. User added to ManageIQ should be an admin of the domain to be able to list projects inside.
Clone Of:	1228542
Environment:
Last Closed:	2016-07-26 15:32:41 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2604351	0	None	None	None	2016-09-06 16:26:09 UTC
Red Hat Product Errata	RHBA-2016:1488	0	normal	SHIPPED_LIVE	CFME 5.5.5 bug fixes and enhancement update	2016-07-26 19:28:27 UTC

Comment 1 Ladislav Smola 2016-04-22 14:30:25 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1329635

Comment 2 CFME Bot 2016-04-22 18:04:00 UTC

New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c

commit ccc2a69c440cb7ef7b6df5ae85a457b9ba37565c
Merge: c709cf5 4e13d10
Author:     Greg Blomquist <gblomqui>
AuthorDate: Fri Apr 22 13:38:42 2016 -0400
Commit:     Greg Blomquist <gblomqui>
CommitDate: Fri Apr 22 13:38:42 2016 -0400

    Merge branch 'bz1228542' into '5.5.z'
    
    Bz1228542
    
    OpenStack make Keystone V3 domain ID configurable
    
    OpenStack make Keystone V3 domain ID configurable
    
    Upstream PR:
    https://github.com/ManageIQ/manageiq/pull/8177
    
    Fixes BZ:
    https://bugzilla.redhat.com/show_bug.cgi?id=1329635
    
    Conflicts:
            app/assets/javascripts/controllers/ems_common/ems_common_form_controller.js
            app/controllers/mixins/ems_common_angular.rb
            gems/pending/openstack/openstack_handle/identity_delegate.rb
    
    Plus manually fixing specs and VCR for keystone v3
    
    See merge request !907

 .../ems_common/ems_common_form_controller.js       |   5 +-
 app/controllers/ems_cloud_controller.rb            |  48 ++-
 app/helpers/ems_cloud_helper/textual_summary.rb    |   8 +-
 .../manageiq/providers/openstack/manager_mixin.rb  |   2 +
 .../views/ems_common/angular/_form.html.haml       |  11 +
 gems/pending/openstack/openstack_handle/handle.rb  |  10 +-
 .../openstack_handle/identity_delegate.rb          |   4 +-
 .../spec/openstack/openstack_handle/handle_spec.rb |  10 +-
 .../openstack/cloud_manager/refresh_spec_common.rb |   2 +-
 .../cloud_manager/refresh_spec_helpers.rb          |  13 +-
 .../refresher_rhos_kilo_keystone_v3_spec.rb        |   2 +-
 .../refresher_rhos_kilo_keystone_v3.yml            | 386 ++++++++++-----------
 12 files changed, 271 insertions(+), 230 deletions(-)

Comment 3 Ladislav Smola 2016-04-25 08:07:36 UTC

https://gitlab.cloudforms.lab.eng.rdu2.redhat.com/cloudforms/cfme/merge_requests/907

Comment 5 Marius Cornea 2016-05-26 18:17:20 UTC

I'm setting an overcloud based on the docs @ https://www.rdoproject.org/documentation/domains/

Authentication validation works but refresh fails with the following error:

[----] E, [2016-05-26T14:07:34.413995 #3323:ebd994] ERROR -- : <Fog> excon.error     #<Excon::Errors::NotFound: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Thu, 26 May 2016 18:07:34 GMT"
    "Vary"                   => "X-Auth-Token"
    "X-Openstack-Request-Id" => "req-7f28ceb6-d84d-483d-8877-98c015354a5d"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.135"
  :local_port    => 48426
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
>


These are the overcloud keystone endpoints:

| keystone   | identity      | regionOne                               |
|            |               |   admin: http://192.168.0.15:35357/v2.0 |
|            |               | regionOne                               |
|            |               |   internal: http://10.0.0.11:5000/v2.0  |
|            |               | regionOne                               |
|            |               |   public: http://172.16.18.25:5000/v2.0 |
|            |               |                                         |
| keystonev3 | identityv3    | regionOne                               |
|            |               |   public: http://172.16.18.25:5000/v3   |
|            |               | regionOne                               |
|            |               |   admin: http://192.168.0.15:35357/v3   |
|            |               | regionOne                               |
|            |               |   internal: http://10.0.0.11:5000/v3    |
=======================================================================

Comment 6 Ladislav Smola 2016-05-27 07:27:34 UTC

I see that our tests have only one keystone endpoint in the catalog:

Service: identity
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |   http://10.8.99.245:35357/v3    |
|      id     | 1e17993dcd3247c9ad6788571d378ff1 |
| internalURL |    http://10.8.99.245:5000/v3    |
|  publicURL  |    http://10.8.99.245:5000/v3    |
|    region   |            RegionOne             |
+-------------+----------------------------------+

Seems like in your case fog-openstack gets confused and calls 
/v2.0/projects, instead of /v3/projects

Can you try to put there only one endpoint?

Comment 8 Udi Kalifon 2016-05-31 18:47:09 UTC

In bug https://bugzilla.redhat.com/show_bug.cgi?id=1228542 I tried it with one endpoint (I deleted the v2 endpoints) and it still didn't work.

Comment 9 Ladislav Smola 2016-06-13 07:45:16 UTC

Udi please check with mcornea, we were able to test this. The additional BZs identified are https://bugzilla.redhat.com/show_bug.cgi?id=1341550 and https://bugzilla.redhat.com/show_bug.cgi?id=1340874

Please let me know if you identify more problems, turning this back to post.

Marius, can you also fill the BZ for the fog-openstack, when there are both keystone and keystonev3 endpoints present, as commented in comment #5?

Comment 10 Udi Kalifon 2016-06-14 13:47:33 UTC

I tried together with mcornea, and it seems like there is a real problem. See comment #13 in https://bugzilla.redhat.com/show_bug.cgi?id=1228542.

Comment 12 Marius Cornea 2016-07-04 11:20:53 UTC

Tested on 5.5.5.0.20160628144838_629f93b, using the steps provided starting https://bugzilla.redhat.com/show_bug.cgi?id=1228542#c13

Credentials validation works but refresh fails with:

[----] E, [2016-07-04T07:17:19.215460 #15709:499990] ERROR -- : <Fog> excon.error     #<Excon::Error::NotFound: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Mon, 04 Jul 2016 11:17:19 GMT"
    "Server"                 => "Apache/2.4.6 (Red Hat Enterprise Linux)"
    "Vary"                   => "X-Auth-Token"
    "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.137"
  :local_port    => 52346
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
>

[----] E, [2016-07-04T07:17:19.215708 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Refresh failed
[----] E, [2016-07-04T07:17:19.215867 #15709:499990] ERROR -- : [Fog::Identity::OpenStack::NotFound]: Expected([200]) <=> Actual(404 Not Found)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The resource could not be found.\", \"code\": 404, \"title\": \"Not Found\"}}"
  :cookies       => [
  ]
  :headers       => {
    "Content-Length"         => "93"
    "Content-Type"           => "application/json"
    "Date"                   => "Mon, 04 Jul 2016 11:17:19 GMT"
    "Server"                 => "Apache/2.4.6 (Red Hat Enterprise Linux)"
    "Vary"                   => "X-Auth-Token"
    "x-openstack-request-id" => "req-2859320a-b3e4-4b7f-ac0b-f96de096b983"
  }
  :host          => "172.16.18.25"
  :local_address => "172.16.17.137"
  :local_port    => 52346
  :path          => "/v2.0/projects"
  :port          => 5000
  :reason_phrase => "Not Found"
  :remote_ip     => "172.16.18.25"
  :status        => 404
  :status_line   => "HTTP/1.1 404 Not Found\r\n"
  Method:[rescue in block in refresh]
[----] E, [2016-07-04T07:17:19.215934 #15709:499990] ERROR -- : /opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/expects.rb:6:in `response_call'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/middlewares/response_parser.rb:8:in `response_call'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:389:in `response'
/opt/rh/cfme-gemset/gems/excon-0.50.1/lib/excon/connection.rb:253:in `request'
/opt/rh/cfme-gemset/gems/fog-core-1.40.0/lib/fog/core/connection.rb:81:in `request'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/identity.rb:32:in `request'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/requests/identity_v3/list_projects.rb:14:in `list_projects'
/opt/rh/cfme-gemset/bundler/gems/fog-f354c8a42dbc/lib/fog/openstack/models/identity_v3/projects.rb:12:in `all'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:28:in `visible_tenants_v3'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/identity_delegate.rb:19:in `visible_tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:267:in `tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:275:in `accessible_tenants'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:290:in `accessible_tenant_names'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:294:in `default_tenant_name'
/var/www/miq/vmdb/gems/pending/openstack/openstack_handle/handle.rb:149:in `connect'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/manager_mixin.rb:55:in `connect'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:18:in `initialize'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `new'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresh_parser.rb:13:in `ems_inv_to_hashes'
/var/www/miq/vmdb/app/models/manageiq/providers/openstack/cloud_manager/refresher.rb:6:in `parse_inventory'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:19:in `block in refresh'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `each'
/var/www/miq/vmdb/app/models/ems_refresh/refreshers/ems_refresher_mixin.rb:7:in `refresh'
/var/www/miq/vmdb/app/models/manageiq/providers/base_manager/refresher.rb:10:in `refresh'
/var/www/miq/vmdb/app/models/ems_refresh.rb:77:in `block in refresh'
/var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `each'
/var/www/miq/vmdb/app/models/ems_refresh.rb:76:in `refresh'
/var/www/miq/vmdb/app/models/miq_queue.rb:345:in `block in deliver'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:89:in `block in timeout'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `block in catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:34:in `catch'
/opt/rh/rh-ruby22/root/usr/share/ruby/timeout.rb:104:in `timeout'
/var/www/miq/vmdb/app/models/miq_queue.rb:341:in `deliver'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:106:in `deliver_queue_message'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:134:in `deliver_message'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:151:in `block in do_work'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `loop'
/var/www/miq/vmdb/app/models/miq_queue_worker_base/runner.rb:145:in `do_work'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:334:in `block in do_work_loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:331:in `do_work_loop'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:153:in `run'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:128:in `start'
/var/www/miq/vmdb/app/models/miq_worker/runner.rb:29:in `start_worker'
/var/www/miq/vmdb/lib/workers/bin/worker.rb:2:in `<top (required)>'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `load'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/runner.rb:60:in `<top (required)>'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:123:in `require_command!'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:90:in `runner'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands/commands_tasks.rb:39:in `run_command!'
/opt/rh/cfme-gemset/gems/railties-4.2.6/lib/rails/commands.rb:17:in `<top (required)>'
/var/www/miq/vmdb/bin/rails:4:in `require'
/var/www/miq/vmdb/bin/rails:4:in `<main>'
[----] E, [2016-07-04T07:17:19.216015 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh) EMS: [prov01], id: [1] Unable to perform refresh for the following targets:
[----] E, [2016-07-04T07:17:19.216150 #15709:499990] ERROR -- : MIQ(ManageIQ::Providers::Openstack::CloudManager::Refresher#refresh)  --- ManageIQ::Providers::Openstack::CloudManager [prov01] id [1]

Comment 13 Marius Cornea 2016-07-08 08:39:37 UTC

In order to get refresh to work I had to:

1. Create a v3 Keystone endpoint:

source overcloudrc
keystone service-create --name keystonev3 --type identityv3 --description "Keystone Identity Service v3"  
keystone endpoint-create --region regionOne --service keystonev3 --publicurl "http://172.16.18.25:5000/v3" --adminurl "http://192.168.0.17:35357/v3" --internalurl "http://10.0.0.10:5000/v3"

2. Assign the admin role to the domain admin for the project it has created:

openstack --os-identity-api-version 3 --os-auth-url http://172.16.18.25:5000/v3 --os-username cloud_admin --os-password password --os-domain-name admin_domain --os-user-domain-name admin_domain role add --project project01 --user adm1 admin

Comment 15 errata-xmlrpc 2016-07-26 15:32:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1488.html

Note You need to log in before you can comment on or make changes to this bug.