Activity log for bug #2026202

Date Who What changed Old value New value Message
2023-07-05 19:30:09 Corey Bryant bug added bug
2023-07-05 19:33:56 Corey Bryant description While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = <uuid of service_domain> user_domain_id = <uuid of service_domain> project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100 Create service credentials in SERVICE_DOMAIN Cleanup code that references users, projects or domains without necessary scoping or filtering throughout the charm. Add logging of domain name in contexts where this is relevant. Tighten rule:service_role to require role:service and token scoped to project config('service-tenant') created in SERVICE_DOMAIN. This ensures that if you have a deployment with end-user access to assign roles within their own domains they will not gain privileged access simply by assigning the service role to one of their own users. Allow users authorized by rule:service_role to perform identity:list_projects. This is required to allow Ceilometer to operate without Admin privileges. Services are given a user in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka Keystone v3 policy the 'service' role is sufficient for services to validate tokens. Services are also given a user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. This will allow us to transition from v2.0 based authentication / authorization and existing services and charms will continue to operate as before. This will also allow the end-user to roll their deployment up to api_version 3 and back to api_version 2 as needed. Services and charms that has made the transition to fully use the v3 API for authentication and authorization will gain full access to domains and projects across the deployment. The first charm to make use of this is charm-ceilometer. Closes-Bug: 1636098 Change-Id: If1518029c43476a5e14bf94596197eabe663499c While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = <uuid of service_domain> user_domain_id = <uuid of service_domain> project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack user list --domain service_domain +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | b14d94f1594743198d1c7c3be722a1c4 | nova | | 5ce32364e6a043ad9642f747a2e380de | glance | | 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 | | ed3ba0b081e641d0906d517ca99c37ff | placement | | ad43075877b0422999f7971f2ca772b1 | neutron | +----------------------------------+-----------+ root@f1:~# openstack user list --domain Default +----------------------------------+-----------------------+ | ID | Name | +----------------------------------+-----------------------+ | 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin | | 1eabe59fe8f54e24a503213de7c06ec2 | nova | | 6fd21eba472b4451a261625aefd79cbc | glance | | b72ef27dd14d409ba8341b565ea718fb | cinderv3 | | 9298849a6c694e079111a3ccab8e9c25 | placement | | 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron | +----------------------------------+-----------------------+ root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100     Create service credentials in SERVICE_DOMAIN     Cleanup code that references users, projects or domains without     necessary scoping or filtering throughout the charm. Add logging     of domain name in contexts where this is relevant.     Tighten rule:service_role to require role:service and token scoped     to project config('service-tenant') created in SERVICE_DOMAIN. This     ensures that if you have a deployment with end-user access to assign     roles within their own domains they will not gain privileged access     simply by assigning the service role to one of their own users.     Allow users authorized by rule:service_role to perform     identity:list_projects. This is required to allow Ceilometer     to operate without Admin privileges.     Services are given a user in project config('service-tenant') in     SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka     Keystone v3 policy the 'service' role is sufficient for services to     validate tokens.     Services are also given a user in project config('service-tenant') in     DEFAULT_DOMAIN to support services still configured with v2.0     authentication / authorization.     This will allow us to transition from v2.0 based authentication /     authorization and existing services and charms will continue to     operate as before. This will also allow the end-user to roll their     deployment up to api_version 3 and back to api_version 2 as needed.     Services and charms that has made the transition to fully use the     v3 API for authentication and authorization will gain full access to     domains and projects across the deployment. The first charm to make     use of this is charm-ceilometer.     Closes-Bug: 1636098     Change-Id: If1518029c43476a5e14bf94596197eabe663499c
2023-07-05 19:34:43 Corey Bryant description While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = <uuid of service_domain> user_domain_id = <uuid of service_domain> project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack user list --domain service_domain +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | b14d94f1594743198d1c7c3be722a1c4 | nova | | 5ce32364e6a043ad9642f747a2e380de | glance | | 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 | | ed3ba0b081e641d0906d517ca99c37ff | placement | | ad43075877b0422999f7971f2ca772b1 | neutron | +----------------------------------+-----------+ root@f1:~# openstack user list --domain Default +----------------------------------+-----------------------+ | ID | Name | +----------------------------------+-----------------------+ | 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin | | 1eabe59fe8f54e24a503213de7c06ec2 | nova | | 6fd21eba472b4451a261625aefd79cbc | glance | | b72ef27dd14d409ba8341b565ea718fb | cinderv3 | | 9298849a6c694e079111a3ccab8e9c25 | placement | | 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron | +----------------------------------+-----------------------+ root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100     Create service credentials in SERVICE_DOMAIN     Cleanup code that references users, projects or domains without     necessary scoping or filtering throughout the charm. Add logging     of domain name in contexts where this is relevant.     Tighten rule:service_role to require role:service and token scoped     to project config('service-tenant') created in SERVICE_DOMAIN. This     ensures that if you have a deployment with end-user access to assign     roles within their own domains they will not gain privileged access     simply by assigning the service role to one of their own users.     Allow users authorized by rule:service_role to perform     identity:list_projects. This is required to allow Ceilometer     to operate without Admin privileges.     Services are given a user in project config('service-tenant') in     SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka     Keystone v3 policy the 'service' role is sufficient for services to     validate tokens.     Services are also given a user in project config('service-tenant') in     DEFAULT_DOMAIN to support services still configured with v2.0     authentication / authorization.     This will allow us to transition from v2.0 based authentication /     authorization and existing services and charms will continue to     operate as before. This will also allow the end-user to roll their     deployment up to api_version 3 and back to api_version 2 as needed.     Services and charms that has made the transition to fully use the     v3 API for authentication and authorization will gain full access to     domains and projects across the deployment. The first charm to make     use of this is charm-ceilometer.     Closes-Bug: 1636098     Change-Id: If1518029c43476a5e14bf94596197eabe663499c While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = <uuid of service_domain> user_domain_id = <uuid of service_domain> project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack user list --domain service_domain +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | b14d94f1594743198d1c7c3be722a1c4 | nova | | 5ce32364e6a043ad9642f747a2e380de | glance | | 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 | | ed3ba0b081e641d0906d517ca99c37ff | placement | | ad43075877b0422999f7971f2ca772b1 | neutron | +----------------------------------+-----------+ root@f1:~# openstack user list --domain Default +----------------------------------+-----------------------+ | ID | Name | +----------------------------------+-----------------------+ | 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin | | 1eabe59fe8f54e24a503213de7c06ec2 | nova | | 6fd21eba472b4451a261625aefd79cbc | glance | | b72ef27dd14d409ba8341b565ea718fb | cinderv3 | | 9298849a6c694e079111a3ccab8e9c25 | placement | | 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron | +----------------------------------+-----------------------+ root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100     Create service credentials in SERVICE_DOMAIN     Cleanup code that references users, projects or domains without     necessary scoping or filtering throughout the charm. Add logging     of domain name in contexts where this is relevant.     Tighten rule:service_role to require role:service and token scoped     to project config('service-tenant') created in SERVICE_DOMAIN. This     ensures that if you have a deployment with end-user access to assign     roles within their own domains they will not gain privileged access     simply by assigning the service role to one of their own users.     Allow users authorized by rule:service_role to perform     identity:list_projects. This is required to allow Ceilometer     to operate without Admin privileges.     Services are given a user in project config('service-tenant') in     SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka     Keystone v3 policy the 'service' role is sufficient for services to     validate tokens.     Services are also given a user in project config('service-tenant') in     DEFAULT_DOMAIN to support services still configured with v2.0     authentication / authorization.     This will allow us to transition from v2.0 based authentication /     authorization and existing services and charms will continue to     operate as before. This will also allow the end-user to roll their     deployment up to api_version 3 and back to api_version 2 as needed.     Services and charms that has made the transition to fully use the     v3 API for authentication and authorization will gain full access to     domains and projects across the deployment. The first charm to make     use of this is charm-ceilometer.     Closes-Bug: 1636098     Change-Id: If1518029c43476a5e14bf94596197eabe663499c
2023-07-05 19:45:56 Corey Bryant description While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = <uuid of service_domain> user_domain_id = <uuid of service_domain> project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack user list --domain service_domain +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | b14d94f1594743198d1c7c3be722a1c4 | nova | | 5ce32364e6a043ad9642f747a2e380de | glance | | 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 | | ed3ba0b081e641d0906d517ca99c37ff | placement | | ad43075877b0422999f7971f2ca772b1 | neutron | +----------------------------------+-----------+ root@f1:~# openstack user list --domain Default +----------------------------------+-----------------------+ | ID | Name | +----------------------------------+-----------------------+ | 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin | | 1eabe59fe8f54e24a503213de7c06ec2 | nova | | 6fd21eba472b4451a261625aefd79cbc | glance | | b72ef27dd14d409ba8341b565ea718fb | cinderv3 | | 9298849a6c694e079111a3ccab8e9c25 | placement | | 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron | +----------------------------------+-----------------------+ root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100     Create service credentials in SERVICE_DOMAIN     Cleanup code that references users, projects or domains without     necessary scoping or filtering throughout the charm. Add logging     of domain name in contexts where this is relevant.     Tighten rule:service_role to require role:service and token scoped     to project config('service-tenant') created in SERVICE_DOMAIN. This     ensures that if you have a deployment with end-user access to assign     roles within their own domains they will not gain privileged access     simply by assigning the service role to one of their own users.     Allow users authorized by rule:service_role to perform     identity:list_projects. This is required to allow Ceilometer     to operate without Admin privileges.     Services are given a user in project config('service-tenant') in     SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka     Keystone v3 policy the 'service' role is sufficient for services to     validate tokens.     Services are also given a user in project config('service-tenant') in     DEFAULT_DOMAIN to support services still configured with v2.0     authentication / authorization.     This will allow us to transition from v2.0 based authentication /     authorization and existing services and charms will continue to     operate as before. This will also allow the end-user to roll their     deployment up to api_version 3 and back to api_version 2 as needed.     Services and charms that has made the transition to fully use the     v3 API for authentication and authorization will gain full access to     domains and projects across the deployment. The first charm to make     use of this is charm-ceilometer.     Closes-Bug: 1636098     Change-Id: If1518029c43476a5e14bf94596197eabe663499c While testing the service token support I noticed that the following command was returning a different uuid than the one configured in the various services' [service_user] config section: openstack user show --domain service_domain -f value -c id nova The reason why is because charm-keystone creates two service users, one for the service_domain, and the other for the Default domain. [1] This is expected as can be seen by the commit that introduced them [2]. That commit introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. What we have now: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_id = default user_domain_id = default project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT What we should have: [service_user] send_service_user_token = true auth_type = password auth_url = https://10.5.1.189:35357 project_domain_name = service_domain user_domain_name = service_domain project_name = services username = cinderv3 password = y429YLBM9yLF5fXs9sfSxMWGggcmGsH4mJTYSBgkwRh7FNTp92WxcMbM4ZjwHwFT [1] charm-keystone creates two services users/projects, one for the service_domain, and the other for the Default domain root@f1:~# openstack user list --domain service_domain +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | b14d94f1594743198d1c7c3be722a1c4 | nova | | 5ce32364e6a043ad9642f747a2e380de | glance | | 0ae3b2494e7d4918956ef44852a8a604 | cinderv3 | | ed3ba0b081e641d0906d517ca99c37ff | placement | | ad43075877b0422999f7971f2ca772b1 | neutron | +----------------------------------+-----------+ root@f1:~# openstack user list --domain Default +----------------------------------+-----------------------+ | ID | Name | +----------------------------------+-----------------------+ | 2a93390dae55464cbec6e6e0e7a98734 | _charm-keystone-admin | | 1eabe59fe8f54e24a503213de7c06ec2 | nova | | 6fd21eba472b4451a261625aefd79cbc | glance | | b72ef27dd14d409ba8341b565ea718fb | cinderv3 | | 9298849a6c694e079111a3ccab8e9c25 | placement | | 5d4e45bdfa8a4a738689ab6cb0576f33 | neutron | +----------------------------------+-----------------------+ root@f1:~# openstack project list +----------------------------------+--------------------------------------------------+ | ID | Name | +----------------------------------+--------------------------------------------------+ | 2e2dfd384b3c475db46829300cbbbf96 | admin | | 605138c74dca4d56a6dec2c6d897b5aa | services | | 9f2c31fb6eda4272acd552d73fe0c703 | tempest-TrafficOperationsScenarioTest-1073829527 | | b51818605b4d4ef78f44f53c43830e0c | services | | c8126e3e9461487abe790371304d304b | demoProject | | fdb19396eb664734bb2804f2d4df12ed | admin | +----------------------------------+--------------------------------------------------+ root@f1:~# openstack project show 605138c74dca4d56a6dec2c6d897b5aa +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | 5729b883ec844bc78c7c050fd4e0826e | | enabled | True | | id | 605138c74dca4d56a6dec2c6d897b5aa | | is_domain | False | | name | services | | options | {} | | parent_id | 5729b883ec844bc78c7c050fd4e0826e | | tags | [] | +-------------+----------------------------------+ root@f1:~# openstack domain list +----------------------------------+----------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+----------------+---------+--------------------+ | 5009f8b773f74d608ecf029e1a070186 | admin_domain | True | Created by Juju | | 5729b883ec844bc78c7c050fd4e0826e | service_domain | True | Created by Juju | | 7c8dbe4036d5479b9ca82328008e147e | demoDomain | True | Demo Domain | | default | Default | True | The default domain | +----------------------------------+----------------+---------+--------------------+ root@f1:~# openstack project show b51818605b4d4ef78f44f53c43830e0c +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Created by Juju | | domain_id | default | | enabled | True | | id | b51818605b4d4ef78f44f53c43830e0c | | is_domain | False | | name | services | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ These are created in charm-keystone/hooks/keystone_utils.py at: 1641 def _ensure_initial_admin(config): 1642 ... 1653 if get_api_version() > 2: 1654 ... 1661 create_tenant(config("service-tenant"), SERVICE_DOMAIN) 1662 ... 1666 ... 1667 create_tenant(config("service-tenant"), DEFAULT_DOMAIN) [2] Commit that introduced 2 service users, one in project config('service-tenant') in SERVICE_DOMAIN for v3 authentication / authorization, and another in user in project config('service-tenant') in DEFAULT_DOMAIN to support services still configured with v2.0 authentication / authorization. commit 5de1770931e886732870da1909f08279a0b804b4 Author: Frode Nordahl <frode.nordahl@canonical.com> Date: Wed Nov 2 13:21:07 2016 +0100     Create service credentials in SERVICE_DOMAIN     Cleanup code that references users, projects or domains without     necessary scoping or filtering throughout the charm. Add logging     of domain name in contexts where this is relevant.     Tighten rule:service_role to require role:service and token scoped     to project config('service-tenant') created in SERVICE_DOMAIN. This     ensures that if you have a deployment with end-user access to assign     roles within their own domains they will not gain privileged access     simply by assigning the service role to one of their own users.     Allow users authorized by rule:service_role to perform     identity:list_projects. This is required to allow Ceilometer     to operate without Admin privileges.     Services are given a user in project config('service-tenant') in     SERVICE_DOMAIN for v3 authentication / authorization. As of Mitaka     Keystone v3 policy the 'service' role is sufficient for services to     validate tokens.     Services are also given a user in project config('service-tenant') in     DEFAULT_DOMAIN to support services still configured with v2.0     authentication / authorization.     This will allow us to transition from v2.0 based authentication /     authorization and existing services and charms will continue to     operate as before. This will also allow the end-user to roll their     deployment up to api_version 3 and back to api_version 2 as needed.     Services and charms that has made the transition to fully use the     v3 API for authentication and authorization will gain full access to     domains and projects across the deployment. The first charm to make     use of this is charm-ceilometer.     Closes-Bug: 1636098     Change-Id: If1518029c43476a5e14bf94596197eabe663499c
2023-07-05 23:18:52 Nobuto Murata bug added subscriber Nobuto Murata