Bug 1519057 – OSP11->OSP12 Keystone LDAP Domain Template No Longer Works

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1519057 - OSP11->OSP12 Keystone LDAP Domain Template No Longer Works

Summary:	OSP11->OSP12 Keystone LDAP Domain Template No Longer Works

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates (Show other bugs)
Sub Component:
Version:	12.0 (Pike)
Hardware:	x86_64 Linux

Priority	urgent Severity urgent
Target Milestone:	z1
Target Release:	12.0 (Pike)
Assigned To:	Harry Rybacki
QA Contact:	Prasanth Anbalagan
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2017-11-29 20:45 EST by Will Kline
Modified:	2018-03-22 21:44 EDT (History)
CC List:	13 users (show)

See Also:
Fixed In Version:	openstack-tripleo-heat-templates-7.0.3-19.el7ost
Doc Type:	Known Issue
Doc Text:	There is currently a known issue with LDAP integration for Red Hat OpenStack Platform. At present, the `keystone_domain_confg` tag is missing from `keystone.yaml`, preventing Puppet from properly applying the required configuration files. Consequently, LDAP integration with Red Hat OpenStack Platform will not be properly configured. As a workaround, you will need to manually edit `keystone.yaml` and add the missing tag. There are two ways to do this: 1. Edit the file directly: a. Log into the undercloud as the stack user. b. Open the keystone.yaml in the editor of your choice. For example: `sudo vi /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml` c. Append the missing puppet tag, `keystone_domain_confg`, to line 94. For example: `puppet_tags: keystone_config` Changes to: `puppet_tags: keystone_config,keystone_domain_confg` d. Save and close `keystone.yaml`. e. Verify you see the missing tag in the `keystone.yaml` file. The following command should return '1': `cat /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml \| grep 'puppet_tags: keystone_config,keystone_domain_config' \| wc -l` 2. Or, use sed to edit the file inline: a. Login to the undercloud as the stack user. b. Run the following command to add the missing puppet tag: `sed -i 's/puppet_tags\: keystone_config/puppet_tags\: keystone_config,keystone_domain_config/' /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml` c. Verify you see the missing tag in the keystone.yaml file The following command should return '1': `cat /usr/share/openstack-tripleo-heat-templates/docker/services/keystone.yaml \| grep 'puppet_tags: keystone_config,keystone_domain_config' \| wc -l`
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-01-30 16:24:32 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1737799	None	None	None	2017-12-12 13:01 EST
OpenStack gerrit	527485	None	None	None	2017-12-13 11:09 EST
OpenStack gerrit	527758	None	None	None	2017-12-13 14:13 EST
Red Hat Product Errata	RHBA-2018:0253	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 director Bug Fix Advisory	2018-02-15 22:41:33 EST

Groups: None (edit)

Description Will Kline 2017-11-29 20:45:21 EST

Description of problem:
The Keystone LDAP domain template that was working for our deployment in OSP11 no longer works in our OSP12 test deployments.  It does not appear to generate any of the config files necessary (/etc/keystone/domains/keystone.my.domain.conf) on the host or on inside the keystone container.  Inside the keystone container, I ran "grep -r 'uid=keystone.user,cn=users,cn=compat' /", and got no results.

I have based my template off of https://github.com/openstack/tripleo-heat-templates/blob/master/environments/services/keystone_domain_specific_ldap_backend.yaml and this works fine on OSP11.

Version-Release number of selected component (if applicable):
Installed Packages
Name        : openstack-tripleo-heat-templates
Arch        : noarch
Version     : 7.0.3
Release     : 0.20171024200823.el7ost


How reproducible:
Deploy a basic OpenStack using 12-beta, and include the keystone_domain_specific_ldap_backend.yaml that has been customized for your ldap domain. 


Actual results:

After sourcing the overcloudrc.v3, the following commands work:
"openstack domain list" lists "default" and "my-domain"
"openstack user list --domain my-domain" lists no users


Expected results:
"openstack domain list" lists "default" and "my-domain"
"openstack user list --domain my-domain" lists all of the users matching my ldap user_tree

Comment 4 Alex Schultz 2017-12-12 12:59:15 EST

We appear to be missing the keystone_domain_config tag from the docker configuration so that the domain config is never written out during the deployment.

https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L94


The later step3 where we do run it is for resource configurations and not part of the configuration generation

https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/docker/services/keystone.yaml#L195

Comment 5 Harry Rybacki 2017-12-13 11:09:33 EST

Moving to POST as upstream review[1] has merged.

[1] - https://review.openstack.org/#/c/527485/

Comment 6 Nathan Kinder 2017-12-13 14:07:19 EST

A stable/pike backport has been proposed here:

  https://review.openstack.org/#/c/527758/

Comment 7 Alex Schultz 2017-12-14 10:59:55 EST

Upstream stable backport has merged

Comment 10 Prasanth Anbalagan 2018-01-23 12:45:33 EST

As expected, the config files are generated under /etc/keystone/domains.

(undercloud) [stack@undercloud-0 ~]$ rpm -qi openstack-tripleo-heat-templates.noarch
Name        : openstack-tripleo-heat-templates
Version     : 7.0.3
Release     : 21.el7ost
Architecture: noarch
Install Date: Tue 23 Jan 2018 09:33:23 AM EST

[heat-admin@controller-0 ~]$ sudo ls -l /var/lib/config-data/puppet-generated/keystone/etc/keystone/domains
total 4
-rw-r--r--. 1 root root 942 Jan 23 17:14 keystone.freeipadomain.conf
[heat-admin@controller-0 ~]$

Comment 15 errata-xmlrpc 2018-01-30 16:24:32 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0253

Note You need to log in before you can comment on or make changes to this bug.