This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1469293 - OSP: admin user can't access projects in different domains
OSP: admin user can't access projects in different domains
Status: CLOSED NOTABUG
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Providers (Show other bugs)
5.8.0
Unspecified Unspecified
medium Severity urgent
: GA
: cfme-future
Assigned To: Marek Aufart
Ola Pavlenko
openstack
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-10 17:36 EDT by Jeff Warnica
Modified: 2017-09-22 06:49 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-22 06:49:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: Openstack


Attachments (Terms of Use)

  None (edit)
Description Jeff Warnica 2017-07-10 17:36:09 EDT
When configuring a OSP provider with keystone v3, with a properly configure "admin" user in the "Default" domain, it fails to refresh content from other domains.

This is case 3 of https://github.com/ManageIQ/manageiq/issues/13236
 

putting fog.log into DEBUG, some examples:

FAILURE EXAMPLE 1:

[----] D, [2017-07-10T17:03:47.953859 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"Spirent_NFV\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] E, [2017-07-10T17:03:48.002882 #19855:84b138] ERROR -- : excon.error     #<Excon::Error::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.

FAILURE EXAMPLE 2:
[----] D, [2017-07-10T17:03:49.073050 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"VDSI_VNF_ONBOARDING_TESTI
NG\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] E, [2017-07-10T17:03:49.112364 #19855:84b138] ERROR -- : excon.error     #<Excon::Error::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The request you have made requires authentication.\", \"code\": 401, \"title\": \"Unauthorized\"}}"
  :cookies       => [
  ]
  :headers       => {


SUCCESS EXAMPLE 1:


[----] D, [2017-07-10T17:03:49.119872 #19855:84b138] DEBUG -- : excon.request   
{:uri=>"https://10.75.15.138:13000/v3/auth/tokens",
 :method=>"POST",
 :headers=>
  {"User-Agent"=>"fog-core/1.44.3",
   "Content-Type"=>"application/json",
   "Host"=>"10.75.15.138:13000"},
 :body=>
  "{\"auth\":{\"identity\":{\"methods\":[\"password\"],\"password\":{\"user\":{\"password\":\"********\"},\"name\":\"cfadmin\"}}},\"scope\":{\"project\":{\"name\":\"admin\",\"domain\":{\"id\":\"Default\"}}}}}"}

[----] D, [2017-07-10T17:03:49.312940 #19855:84b138] DEBUG -- : excon.response  
{:status=>201,
 :headers=>
  {"X-Subject-Token"=>"fc8b698ca55a4e55a1d3f15d18e5c1a9",
   "Vary"=>"X-Auth-Token",
   "Content-Type"=>"application/json",
   "Content-Length"=>"6586",

......
Comment 2 Marek Aufart 2017-08-15 11:15:25 EDT
This should work as implemented "The provider you are creating will be able to see projects for the given domain only. To see projects for other domains, add it as another cloud provider." [1]

If we need change the behaviour to make inventory/projects visible for all domains, we can discuss it as a RFE (similar to Openstack discovery).

[1] http://manageiq.org/docs/reference/latest/doc-Managing_Providers/miq/#adding_openstack_cloud_providers
Comment 3 Marek Aufart 2017-09-22 06:49:58 EDT
Closing not a bug since described in Comment #2. Open RFE if the solution is not acceptable.

Note You need to log in before you can comment on or make changes to this bug.