Bug 1419683 - EC2 credentials create does not work with keystone v3
Summary: EC2 credentials create does not work with keystone v3
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: async
: ---
Assignee: John Dennis
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-06 18:19 UTC by Jeremy
Modified: 2020-04-15 15:13 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-16 15:56:33 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jeremy 2017-02-06 18:19:06 UTC
Description of problem:

WORKING, but only with DEFAULT domain user(s):
openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url http://10.224.9.10:5000/v2.0/ec2tokens

We receive the following logged error when using a domain user:
2017-02-06 08:46:06.839 151201 WARNING keystone.common.wsgi [req-fb1c3e3e-5c35-4534-ab2f-70c39a7e5291 - - - - -] Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 10.224.9.14


NOT WORKING:
openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url http://10.224.9.10:5000/v3/ec2tokens
openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url https://aquarius.ssc.lmco.com:13000/v3/ec2tokens'

NO DIFFERENCE, possibly deprecated anyway:
openstack-config --set /etc/keystone/keystone.conf keystone_ec2_token url http://10.224.9.10:5000/v3/ec2tokens

EC2 Endpoints (haproxy configured for appropriate public endpoints):
| a009949a13b54621bf51015b19298dea | regionOne | ec2          | ec2           | True    | public    | https://aquarius.ssc.lmco.com:13773/services/Cloud        |
| b8cb6c761d3946afaaa0a55df3e16443 | regionOne | ec2          | ec2           | True    | admin     | https://10.224.9.10:8773/services/Admin                   |
| e129674b46e34ab0988bbd3e786216fb | regionOne | ec2          | ec2           | True    | internal  | http://10.224.9.10:8773/services/Cloud




Version-Release number of selected component (if applicable):
openstack-keystone-8.0.1-1.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:
errors above

Expected results:
success

Additional info:

The following works fine as admin (default domain) or tenant (non-default domain) -- I suppose this is expected since this uses keystone v2 API:

openstack ec2 credentials create

If I generate the credentials with a  tenant (non-default domain account), they DO NOT work. If I generate these credentials with the admin (default domain) account, they work fine.

The following does NOT work as a user, domain admin, or default admin, since it's using the v3 API, but since this command is actually available, I'd assume this SHOULD be possible:

openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033  '{"access": "test001", "secret": "test002"}'

**Error as domain admin:**
openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}'

The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-55f4f6c2-b4b6-4ab3-b2f0-12a72e83a898)

**Error as default admin:**
openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}'

Could not find resource e307033

**Error as user:**
openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}'

You are not authorized to perform the requested action: identity:list_users (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-cebcfd15-c021-4ec0-a5b9-fac8d1fcd82e)

Comment 1 Red Hat Bugzilla Rules Engine 2017-02-06 18:19:14 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 9 Jeremy 2017-02-13 16:33:11 UTC
Still no luck. I followed steps as LDAP admin since you mentioned project admin was having problems... Here's the RC file I created to match what was provided:

export OS_USERNAME=ssccldresa
export OS_PROJECT_NAME=
export OS_AUTH_URL=https://aquarius.ssc.lmco.com:13000/v3
export OS_PASSWORD=********
export OS_IDENTITY_API_VERSION=3
export OS_DOMAIN_NAME=AD
export OS_USER_DOMAIN_NAME=AD
export OS_PROJECT_DOMAIN_NAME=AD
export PS1='[ocd05rc_AD_Admin - \u@\h \W]$ '
export OS_REGION_NAME=regionOne
export OS_AUTH_TYPE=


Here's similar requests, and the failed outcome (with v3 and v2.0 URI's defined in nova.conf). I attempted to scope the creds to a USER and to a PROJECT, but neither worked as you demonstrated. It did, however, work using domain NAMES rather than IDs:

[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack domain list
+----------------------------------+------------+---------+----------------------------------------------------------------------+
| ID                               | Name       | Enabled | Description                                                          |
+----------------------------------+------------+---------+----------------------------------------------------------------------+
| 1bcb88d84628456a9b1fd31c268f1089 | heat_stack | True    |                                                                      |
| c66d9f14c53c41128bfce37d1f2711e1 | AD         | True    |                                                                      |
| default                          | Default    | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+------------+---------+----------------------------------------------------------------------+
[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack user list --domain c66d9f14c53c41128bfce37d1f2711e1 | grep 'e307033'
| 1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0 | e307033      |
[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack project list | grep ocd05-AD-Test
| 55ddfc1c92104b64ac6b59585f0cc648 | ocd05-AD-Test                                                    |


[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain c66d9f14c5ce37d1f2711e1 --user-domain c66d9f14c53c41128bfce37d1f2711e1 --user 1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0
No user with a name or ID of '1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0' exists.


[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain c66d9f14c5ce37d1f2711e1
No domain with a name or ID of 'c66d9f14c5ce37d1f2711e1' exists.
[ocd05rc_AD_Admin - stack@ospd05 ~]$

[ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain AD
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                           |
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| access     | a050fc339a514bd8ab6c77928c740ad2                                                                                                                                                |
| links      | {u'self': u'https://aquarius.ssc.lmco.com:13000/v3/users/302475c5533cc99006a13dbf14880a1e367eeeb9ac3724133f8acc32c04b0126/credentials/OS-EC2/a050fc339a514bd8ab6c77928c740ad2'} |
| project_id | 55ddfc1c92104b64ac6b59585f0cc648                                                                                                                                                |
| secret     | ee96097e63e34d20b7bce710904d529c                                                                                                                                                |
| trust_id   | None                                                                                                                                                                            |
| user_id    | 302475c5533cc99006a13dbf14880a1e367eeeb9ac3724133f8acc32c04b0126                                                                                                                |
+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


[ocd05rc_v3 - cloud-user@autoglance-ans-fpo7q7yucqnq ~]$ aws --endpoint-url https://aquarius.ssc.lmco.com:13773/services/Cloud/ ec2 describe-instances

An error occurred (AuthFailure) when calling the DescribeInstances operation: Failure parsing response from keystone: 'access'
[ocd05rc_v3 - cloud-user@autoglance-ans-fpo7q7yucqnq ~]$ aws --endpoint-url https://aquarius.ssc.lmco.com:13773/services/Cloud/ ec2 describe-instances

An error occurred (AuthFailure) when calling the DescribeInstances operation: Unauthorized


###uploading associated keystone logs


Note You need to log in before you can comment on or make changes to this bug.