Bug 1508904 - Keystone roles for Octavia is not created after deployment or for new tenants
Summary: Keystone roles for Octavia is not created after deployment or for new tenants
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-octavia
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 13.0 (Queens)
Assignee: Brent Eagles
QA Contact: Alexander Stafeyev
: 1560279 (view as bug list)
Depends On:
Blocks: 1433523 1533563
TreeView+ depends on / blocked
Reported: 2017-11-02 13:28 UTC by Alexander Stafeyev
Modified: 2019-09-10 14:10 UTC (History)
7 users (show)

Fixed In Version: puppet-octavia-12.4.0-0.20180329041637.3bc0f6b.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-13 16:40:55 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Launchpad 1762774 None None None 2018-04-10 16:09:44 UTC
OpenStack gerrit 560031 None MERGED Add keystone roles for Octavia policies 2020-08-12 10:23:59 UTC
OpenStack gerrit 560083 None ABANDONED Create roles for Octavia API 2020-08-12 10:23:59 UTC
OpenStack gerrit 561347 None MERGED Add keystone roles for Octavia policies 2020-08-12 10:23:59 UTC

Description Alexander Stafeyev 2017-11-02 13:28:12 UTC
Description of problem:
Octavia roles are not created . Failed running tests. 

ERROR: setUpClass (octavia_tempest_plugin.tests.v2.scenario.test_basic_ops.BasicOpsTest)
Traceback (most recent call last):
  File "tempest/test.py", line 172, in setUpClass
    six.reraise(etype, value, trace)
  File "tempest/test.py", line 157, in setUpClass
  File "tempest/test.py", line 401, in setup_credentials
  File "tempest/test.py", line 670, in get_client_manager
    creds = cred_provider.get_creds_by_roles(**params)
  File "tempest/lib/common/dynamic_creds.py", line 373, in get_creds_by_roles
    return self.get_credentials(roles)
  File "tempest/lib/common/dynamic_creds.py", line 338, in get_credentials
    credentials = self._create_creds(roles=credential_type)
  File "tempest/lib/common/dynamic_creds.py", line 203, in _create_creds
    self.creds_client.assign_user_role(user, project, role)
  File "tempest/lib/common/cred_client.py", line 76, in assign_user_role
    raise lib_exc.NotFound(msg)
tempest.lib.exceptions.NotFound: Object not found
Details: No "load-balancer_member" role found

How reproducible:

Steps to Reproduce:
1. Create tempest docker - https://github.com/itzikb/docker-tempest
2. clone octavia plugin https://github.com/openstack/octavia-tempest-plugin.git
3. Cherry pick the plugin patch - git fetch https://git.openstack.org/openstack/octavia-tempest-plugin refs/changes/75/486775/39 && git checkout FETCH_HEAD 
4. pip install -e . from plugin dir, to install plugin. 
5. try to run Octavia test. 

Actual results:
Details: No "load-balancer_member" role found

Expected results:
The test should run 

Additional info:
Work around : 

0. from stack machine: a- . overcloudrc , b-  openstack role create load-balancer_member , c- openstack role add --user demo --project demo load-balancer_member 
1. int the plugin dir - pip install -e .
2. Run test

Comment 1 Martin Kopec 2017-11-30 11:16:05 UTC
python-tempestconf doesn't create roles, it mostly scans the environment and generates tempest.conf based on the cloud.

Personally I like the idea, I'd like to implement it. It will be discussed and maybe it will be part of the ongoing refactoring process, but for now, it's not a bug.

I'd say the role should be created by the test, as it's a required resource, and cleaned afterwards.

Comment 4 Nir Magnezi 2017-12-13 12:52:42 UTC
As a follow up to our IRC discussion, this should be done by the deployer.
Moving to Brent.

Comment 5 Nir Magnezi 2017-12-13 12:53:04 UTC
Mail, not IRC. Sorry.

Comment 7 Carlos Goncalves 2018-03-20 16:43:10 UTC
A workaround patch in Infrared has been proposed: https://review.gerrithub.io/#/c/404354/

Comment 9 Nir Magnezi 2018-03-21 13:00:15 UTC
The patch in comment #7 is actually a workaround done in infrared (CI tool we use to invoke TripleO), whereas the fix should be a part of TripleO itself. Thus, moving back to assigned.

Brent, will you have time to get to this soon?

Comment 10 Nir Magnezi 2018-04-08 11:30:37 UTC
*** Bug 1560279 has been marked as a duplicate of this bug. ***

Comment 11 Nir Magnezi 2018-04-16 08:53:24 UTC
If we can't get cycles upstream for a review to https://review.openstack.org/#/c/561347 , maybe we should backport downstream?

I can help with the backport, but I would like to run it by you first.

Comment 13 Carlos Goncalves 2018-04-16 14:12:22 UTC
https://review.openstack.org/#/c/560083/ is also required.

Comment 14 Nir Magnezi 2018-04-16 14:17:10 UTC
(In reply to Carlos Goncalves from comment #13)
> https://review.openstack.org/#/c/560083/ is also required.

since this fix is a part of tripleo-heat-templates (not puppet-octavia), it should be under a different rhbz.

Comment 21 Nir Magnezi 2018-05-13 16:40:55 UTC
Eventually, for OSP13 we are going to fix this with policy.json in packaging.
See bug 1577635.

Comment 22 Noam Manos 2018-05-16 12:35:08 UTC
Running octavia tempest tests, after first workaround, still returns:
No "load-balancer_admin" role found

So the updated workaround is:

(overcloud) [stack@undercloud-0]$

openstack role list | grep -q load-balancer_member || openstack role create load-balancer_member
openstack role add --user demo --project demo load-balancer_member
openstack role assignment list --names
openstack role list | grep -q load-balancer_admin || openstack role create load-balancer_admin
openstack role add --user demo --project demo load-balancer_admin
openstack role assignment list --names | awk 'NR<4 || /load-balancer/'

Note You need to log in before you can comment on or make changes to this bug.