Description of problem: In my Case, I have two domain in OpenStack (default & CEE)and the user "admin" have admin role access to both domain/tenant. But when I integrate OpenStack with CFME I am unable to see list of instance belongs to the domain "CEE" & their tenants whereas in OpenStack I can see all instance belong to domain see using admin login Version-Release number of selected component (if applicable): 4.2 How reproducible: Steps to Reproduce: 1.Create an additional domain in OpenStack name "cee" 2.Give "admin" role access to user "admin" for both the domain(default/CEE) and their tenants 3.In CFME add cloud provider using details API Version: keystone v3, keystone V3 Domain ID: default, zone: XYZ tenant mapping enabled: Yes hostname: XYZ, API port: 13000, Protocol: SSL, username: admin password: XYZ 4. after adding the cloud provider verify the summary page. Actual results: only see the list of instance belongs to admin tenant of the default domain Expected results: Instance must be listed out to the from the both the domain as user admin having access Additional info:
In addition below are the output from my OpenStack environment. [stack@director ~]$ openstack domain list +----------------------------------+------------+---------+-------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+------------+---------+-------------------------------------------+ | 8de524c9139140428170f2ccbe957f21 | heat_stack | True | | | a7b123820e054989ac2beebf35194ed6 | cfme | True | test Domain created for cfme integration | | c4e4f06c1c154413b807b5a51c1a491c | cee | True | | | default | Default | True | The default domain | +----------------------------------+------------+---------+-------------------------------------------+ [stack@director ~]$ [stack@director ~]$ openstack role list --user admin --domain cee +----------------------------------+-------+--------+-------+ | ID | Name | Domain | User | +----------------------------------+-------+--------+-------+ | df17f05804a14332aa1e0829be5e5664 | admin | cee | admin | +----------------------------------+-------+--------+-------+ [stack@director ~]$ openstack role list --user admin --domain default +----------------------------------+-------+---------+-------+ | ID | Name | Domain | User | +----------------------------------+-------+---------+-------+ | df17f05804a14332aa1e0829be5e5664 | admin | Default | admin | +----------------------------------+-------+---------+-------+ [stack@director ~]$ [stack@director ~]$ openstack project list +----------------------------------+------------------------------------------------------------------+ | ID | Name | +----------------------------------+------------------------------------------------------------------+ | 0bd3438ff3e646ed8d486da4c99872c5 | vagga1 | | 51091e15552540e99067171865f0f4d8 | admin | | 57f93ec62e06489785c2ce46f07391e8 | 98a293f3df6c4778acb0f29e14286686-5a4f4c9d-d027-41be-879b-d79f48b | | 68a2dd0e035143b1a7e3a0c39a082e2c | service | | 98a293f3df6c4778acb0f29e14286686 | cee-shared-space | | b8db290a502e4edeaa8811c8636daf5b | vagrawal | | dad7b6c374e04998a1d84ed115e3df44 | cfme | | e3fdef803529498dadc5aefa8816368a | test | | fb982cfd1aa24d78801c3aec5750ea45 | 98a293f3df6c4778acb0f29e14286686-ad74376d-ff2a-4369-87e0-192b220 | +----------------------------------+------------------------------------------------------------------+ [stack@director ~]$
Hi Deepak. The current BZ description describes expected behaviour. If you want see inventory from another domain, you need create another cloud provider with given domain id. But what I remember from debugging is a following issue: Even if you granted admin user an admin role on cee domain (which was mapped to LDAP), it was not possible authenticate with the admin user for cee domain. So it looked like a "normal" admin user cannot act as an admin of LDAP mapped domain (cee). Do you think this description is correct or there was a different issue?
Adding new cloud provider is understood for a separate domain. Your description is correct.
Deepak, ok, thanks. I submitted a BZ for Openstack Keystone team since this is not a bug in CloudForms. Please comment on https://bugzilla.redhat.com/show_bug.cgi?id=1457742 if you can add any details.
Thanks, Marek Information provided by you on BZ1457742 looks sufficient to. I will be happy to provide more clarification if needed.
Can you confirm that the OS_PROJECT_DOMAIN_NAME is set to the "cee" domain?
yes, it's already there please see below. [stack@director ~]$ cat overcloudrc_v3 export OS_NO_CACHE=True export OS_CLOUDNAME=overcloud export OS_AUTH_URL=http://XX.XX.XX.XX:5000/v3/ export NOVA_VERSION=1.1 export COMPUTE_API_VERSION=1.1 export OS_USERNAME=admin export no_proxy=,xxx.redhat.com,192.0.2.22 export OS_PASSWORD=xxxxxxxxxx export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" export OS_TENANT_NAME=admin ####Added for KeystoneV3 export OS_IDENTITY_API_VERSION=3 export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default [stack@director ~]$
Deepak, right, so the credentials that are being used are for the Default domain (which is not the extra 'cee' domain). So the token you're requesting is scoped for the Default domain and the admin project/tenant. You need to scope the token (by setting the OS_TENANT_NAME or OS_PROJECT_NAME and setting OS_PROJECT_DOMAIN_NAME) to the correct domain/project.
Hi Deepak, Just give more information, based on the Juan's comment above, looks like you made the proper assignments but based on your environment variables, you're requesting a token for the default project/domain. You should update those variables as Juan mentioned previously. Besides that, you should be aware if you're not requesting a domain scoped token to perform project actions or vice-versa.
Hello Team, Sorry for delay update on the thread, We under outage for the OSP environment so unable to test the suggested option. Once we finish with outage I will do the needful checks -Deepak
Hello Juan/Raildo, Sorry for the delay on the update. As per your suggestion, I have tried to setupOS_PROJECT_NAME=cee-shared-space and OS_PROJECT_DOMAIN_NAME=cee but no luck. -Deepak
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set it to Low/Low.
This issue should be resolved by change of parameters using while getting Keystone Auth token as part of https://bugzilla.redhat.com/show_bug.cgi?id=1469860. The change https://github.com/ManageIQ/manageiq-providers-openstack/pull/64 was marked as euwe/yes (backport to 5.7). *** This bug has been marked as a duplicate of bug 1469860 ***
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days