Juniper Openstack

Cannot authenticate as admin from non-default domain in Keystone v3

Series r3.0
Bug #1551606

Bug #1551606 reported by Jakub Pavlik on 2016-03-01

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R2.20	Fix Committed	Undecided	Jakub Pavlik	Juniper Openstack r2.23 "r2.23"
R2.21.x	In Progress	Undecided	Jakub Pavlik
R2.22.x	Fix Committed	Undecided	Jakub Pavlik	Juniper Openstack r2.22.2
R3.0	Fix Committed	Undecided	Jakub Pavlik	Juniper Openstack r3.0.2.0
Trunk	Fix Committed	Undecided	Jakub Pavlik

Bug Description

User is not able authenticate with admin role from non-default domain. All logs reports authentication required.

2016-02-26T11:33:08.854Z - error: URL [http://172.10.10.151:9100/domains] returned error ["Authentication required"]

keystone logs shows following

2016-02-28 16:08:00.373 2402 INFO keystone.common.wsgi [req-6b6e5484-260b-4e10-a1ee-3667b21c2e14 - - - - -] GET http://172.10.10.151:35357/v2.0/tokens/9b872ace1232449cb39672d0e24fefc3
2016-02-28 16:08:00.378 2402 WARNING keystone.common.wsgi [req-6b6e5484-260b-4e10-a1ee-3667b21c2e14 - - - - -] Authorization failed. The request you have made requires authentication. from $72.10.10.151
2016-02-28 16:08:00.380 2402 INFO eventlet.wsgi.server [req-6b6e5484-260b-4e10-a1ee-3667b21c2e14 - - - - -] 172.10.10.151 - - [28/Feb/2016 16:08:00] "GET /v2.0/tokens/9b872ace1232449cb39672$0e24fefc3 HTTP/1.1" 401 428 0.015464

contrail tries to ask on v2.0 instead of v3. This can shows why default admin works.

root@openstack-single-stg-ctl01:~# contrail-api-cli --os-user-name new-user --os-password password --os-auth-plugin v3password --host 172.10.10.151 --insecure --os-auth-url http://172.10.10.151:5000/v3 --os-user-domain-name new-domain shell
Authentication required (HTTP 401)

It really seems that he callback v2.0 and keystone log says

2016-02-28 16:30:04.426 8552 WARNING keystone.common.wsgi [req-c5e3780b-19e6-488d-b9aa-8e4efd0a152c - - - - -] Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 172.10.10.151

Tags:

Jakub Pavlik (pavlk-jakub) on 2016-03-01

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-01: [Review update] master

Review in progress for https://review.opencontrail.org/18055
Submitter: Jakub Pavlik (<email address hidden>)

Jakub Pavlik (pavlk-jakub) on 2016-03-01

Changed in juniperopenstack:
assignee:	nobody → Jakub Pavlik (pavlk-jakub)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-01: [Review update] R3.0

Review in progress for https://review.opencontrail.org/18058
Submitter: Jakub Pavlik (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-01: [Review update] R2.21.x

Review in progress for https://review.opencontrail.org/18059
Submitter: Jakub Pavlik (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-01: [Review update] master

Review in progress for https://review.opencontrail.org/18055
Submitter: Jakub Pavlik (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-01: A change has been merged

Reviewed: https://review.opencontrail.org/18055
Committed: http://github.org/Juniper/contrail-controller/commit/cc4066cdc2910251ca7581b5ea7016566fc52fb2
Submitter: Zuul
Branch: master

commit cc4066cdc2910251ca7581b5ea7016566fc52fb2
Author: Jakub Pavlik <email address hidden>
Date: Tue Mar 1 09:32:43 2016 +0100

Fix for admin authentication from non-default domain in Keystone v3

Closes-Bug: #1551606
Change-Id: I831e206b06a7ae96fe43edd15e2b8fc63f93283e

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-03-09: [Review update] R2.20

#10

Review in progress for https://review.opencontrail.org/18280
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-19: A change has been merged

#12

Reviewed: https://review.opencontrail.org/18280
Committed: http://github.org/Juniper/contrail-controller/commit/de80c1ea804283a1882946e280009fa3ac1e61b9
Submitter: Zuul
Branch: R2.20

commit de80c1ea804283a1882946e280009fa3ac1e61b9
Author: Jakub Pavlik <email address hidden>
Date: Tue Mar 1 09:32:43 2016 +0100

Fix for admin authentication from non-default domain in Keystone v3

Closes-Bug: #1551606
Change-Id: I831e206b06a7ae96fe43edd15e2b8fc63f93283e
(cherry picked from commit cc4066cdc2910251ca7581b5ea7016566fc52fb2)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-19: [Review update] R3.0

#13

Review in progress for https://review.opencontrail.org/18058
Submitter: Jakub Pavlik (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-20: [Review update] R2.21.x

#15

Review in progress for https://review.opencontrail.org/18059
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-20: [Review update] R2.22.x

#17

Review in progress for https://review.opencontrail.org/19479
Submitter: Biswajit Mandal (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-25: A change has been merged

#19

Reviewed: https://review.opencontrail.org/18058
Committed: http://github.org/Juniper/contrail-controller/commit/d3206c790da923f809f2aadd3f5c347c90bef6d6
Submitter: Zuul
Branch: R3.0

commit d3206c790da923f809f2aadd3f5c347c90bef6d6
Author: Jakub Pavlik <email address hidden>
Date: Tue Apr 19 18:03:28 2016 +0200

Fix for admin authentication from non-default domain in Keystone v3.
Tested and verified against latest Contrail 3.0 build.

Closes-Bug: #1551606
Change-Id: I831e206b06a7ae96fe43edd15e2b8fc63f93283e

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-04-26:

#20

Reviewed: https://review.opencontrail.org/19479
Committed: http://github.org/Juniper/contrail-controller/commit/465ff99ee0a90c9be6c0f3c8159f8e90cfa3a10e
Submitter: Zuul
Branch: R2.22.x

commit 465ff99ee0a90c9be6c0f3c8159f8e90cfa3a10e
Author: Jakub Pavlik <email address hidden>
Date: Tue Mar 1 09:32:43 2016 +0100

Fix for admin authentication from non-default domain in Keystone v3

Closes-Bug: #1551606
Change-Id: I831e206b06a7ae96fe43edd15e2b8fc63f93283e
(cherry picked from commit cc4066cdc2910251ca7581b5ea7016566fc52fb2)

Tony Liu (taoliu-7) on 2016-05-18

tags:

added: ves

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.