Service accounts duplicated in domains, causes some heat stack actions to fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gnocchi Charm |
Triaged
|
Medium
|
Unassigned | ||
OpenStack AODH Charm |
Fix Released
|
Medium
|
Unassigned | ||
OpenStack Base Layer |
Fix Released
|
Medium
|
Unassigned |
Bug Description
On building Gnocchi and Aodh, the user account for the services is created both in 'default' domain plus the 'service_domain', and a project 'services' rather than 'service' (the default).
This causes a few issues, noticed in our case when rolling a heat stack that includes gnocchi based aodh alarms:
openstack stack create --wait -t web.yaml test1
2018-06-11 21:56:01Z [test1]: CREATE_IN_PROGRESS Stack CREATE started
2018-06-11 21:56:02Z [test1.
2018-06-11 21:56:03Z [test1.router]: CREATE_IN_PROGRESS state changed
2018-06-11 21:56:03Z [test1.router]: CREATE_FAILED StackValidation
2018-06-11 21:56:03Z [test1]: CREATE_FAILED Resource CREATE failed: StackValidation
2018-06-11 21:56:05Z [test1.
2018-06-11 21:56:05Z [test1]: CREATE_FAILED Resource CREATE failed: ClientException: resources.
Stack test1 CREATE_FAILED
Refer to https:/
In aodh.conf:
[api]
gnocchi_
Changed in charm-aodh: | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
Changed in layer-openstack: | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
Changed in charm-gnocchi: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in charm-aodh: | |
milestone: | none → 18.08 |
Changed in layer-openstack: | |
milestone: | none → 18.08 |
Changed in charm-aodh: | |
status: | Fix Committed → Fix Released |
Changed in layer-openstack: | |
status: | Fix Committed → Fix Released |
Additionally, we find the following are needed in aodh.conf in order to overcome the lack of specifics with the config where we have a services_domain and 'default' domain.
[service_ credentials]
project_domain_name = service_domain
user_domain_name = service_domain
From another layer, we also have ./templates/ parts/section- keystone- authtoken which needs:
[keystone_ authtoken]
project_domain_name = service_domain
user_domain_name = service_domain
Currently that section is set to 'default'.
If we didn't add all the services to both the 'default' and the 'services_domain' I wonder if we'd have had such a problem?