[service_user] config section uses the wrong user_domain_id and project_domain_id

Bug #2026202 reported by Corey Bryant
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Cinder Charm
New
Undecided
Unassigned

Bug Description

While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section:

openstack user show --domain service_domain -f value -c id nova

The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.

What we have now:

[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_id = default
user_domain_id = default
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT

What we should have:

[service_user]
send_service_user_token = true
auth_type = password
auth_url = https://10.5.1.189:35357
project_domain_name = service_domain
user_domain_name = service_domain
project_name = services
username = cinderv3
password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT

[1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain

root@f1:~# openstack user list --domain service_domain
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| b14d94f1594743198d1c7c3be722a1c4 | nova |
| 5ce32364e6a043ad9642f747a2e380de | glance |
| 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 |
| ed3ba0b081e641d0906d517ca99c37ff | placement |
| ad43075877b0422999f7971f2ca772b1 | neutron |
+----------------------------------+-----------+

root@f1:~# openstack user list --domain Default
+----------------------------------+-----------------------+
| ID | Name |
+----------------------------------+-----------------------+
| 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin |
| 1eabe59fe8f54e24a503213de7c06ec2 | nova |
| 6fd21eba472b4451a261625aefd79cbc | glance |
| b72ef27dd14d409ba8341b565ea718fb | cinderv3 |
| 9298849a6c694e079111a3ccab8e9c25 | placement |
| 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron |
+----------------------------------+-----------------------+

root@f1:~# openstack project list
+----------------------------------+--------------------------------------------------+
| ID | Name |
+----------------------------------+--------------------------------------------------+
| 2e2dfd384b3c475db46829300cbbbf96 | admin |
| 605138c74dca4d56a6dec2c6d897b5aa | services |
| 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 |
| b51818605b4d4ef78f44f53c43830e0c | services |
| c8126e3e9461487abe790371304d304b | demoProject |
| fdb19396eb664734bb2804f2d4df12ed | admin |
+----------------------------------+--------------------------------------------------+

root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | 5729b883ec844bc78c7c050fd4e0826e |
| enabled | True |
| id | 605138c74dca4d56a6dec2c6d897b5aa |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | 5729b883ec844bc78c7c050fd4e0826e |
| tags | [] |
+-------------+----------------------------------+

root@f1:~# openstack domain list
+----------------------------------+----------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+----------------+---------+--------------------+
| 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju |
| 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju |
| 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain |
| default | Default | True | The default domain |
+----------------------------------+----------------+---------+--------------------+

root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Created by Juju |
| domain_id | default |
| enabled | True |
| id | b51818605b4d4ef78f44f53c43830e0c |
| is_domain | False |
| name | services |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+

These are created in charm-keystone/hooks/keystone_utils.py at:

1641 def _ensure_initial_admin(config):
1642 ...
1653 if get_api_version() > 2:
1654 ...
1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN)
1662 ...
1666 ...
1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN)

[2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization.

commit 5de1770931e886732870da1909f08279a0b804b4
Author: Frode Nordahl <email address hidden>
Date: Wed Nov 2 13:21:07 2016 +0100

    Create service credentials in SERVICE_DOMAIN

    Cleanup code that references users, projects or domains without
    necessary scoping or filtering throughout the charm. Add logging
    of domain name in contexts where this is relevant.

    Tighten rule:service_role to require role:service and token scoped
    to project config('service-tenant') created in SERVICE_DOMAIN. This
    ensures that if you have a deployment with end-user access to assign
    roles within their own domains they will not gain privileged access
    simply by assigning the service role to one of their own users.

    Allow users authorized by rule:service_role to perform
    identity:list_projects. This is required to allow Ceilometer
    to operate without Admin privileges.

    Services are given a user in project config('service-tenant') in
    SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka
    Keystone v3 policy the 'service' role is sufficient for services to
    validate tokens.

    Services are also given a user in project config('service-tenant') in
    DEFAULT_DOMAIN to support services still configured with v2.0
    authentication / authorization.

    This will allow us to transition from v2.0 based authentication /
    authorization and existing services and charms will continue to
    operate as before. This will also allow the end-user to roll their
    deployment up to api_version 3 and back to api_version 2 as needed.

    Services and charms that has made the transition to fully use the
    v3 API for authentication and authorization will gain full access to
    domains and projects across the deployment. The first charm to make
    use of this is charm-ceilometer.

    Closes-Bug: 1636098
    Change-Id: If1518029c43476a5e14bf94596197eabe663499c

description: updated
description: updated
description: updated
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.