Monasca Agent does not support users from domains other than 'Default'

I have prepared a fix in my fork (jobrs). I am unsure about populating with X-Auth-* header fields when there is no token (monascaclient.common.http.HTTPClient._credentials_headers()): . Is this part of the code really used?

The kwargs passed into monascaclient.common.http for HTTPClient are used to re_authenticate with keystone (using ksclient) when a token expiration exception is received. See the __init__ and re_authenticate methods.

Not sure if I got you right. My question was about the username/password being written to the HTTP headers (X-Auth-User/Key).

My impression is that this never happens since Keystone returns a token and that is what is passed to the API, so that actually there will never we X-Auth-User/Key headers.

But: If that assumption is wrong, then I would expect that in addition to X-Auth-User/Key, also the domain has to be passed in the HTTP header as part of the credentials_headers() implementation. See also Heat's "http.py" variant of credentials_headers () here: https://github.com/openstack/python-heatclient/blob/master/heatclient/common/http.py.

I will submit a pull-request with my changes today.

https://review.openstack.org/#/c/199564/

https://review.openstack.org/#/q/I8574fa3d393dc7a2c9d0470cbf7b9e819a3be0cc,n,z

Initial review of your pull request (note you need to do a git gerrit review in stack forge/openstack). The code in monascaclient/kslicent.py needs a change. domain id and domain name are optional fields (along with project id) - see the shell.py where they are set. This should be tested as project id is above the else for username and password.

I am researching all of the valid keystone v3 options. Documentation says you can still use project id, you can use domain id, and domain name, and you can use a mixture of project id and domain id. We need to test that all of these options work with your code changes.

My understanding of the keystone V3 concept is that the 'user_domain' is integral part of the username (defaulting to 'Default' to permit V2 backwards compatibility) --> user_domain = namespace for usernames / authentication scope.

This is different to 'project' and 'domain' scope: They are about authorization scope ("scoping") and are mutually exclusive. Currently domain scoping seems not to be supported by the monascaclient so far and I did not attempt change this.

So I was hoping that my additions can only have limited side effects.

Would you have a kind of test suite which I could extend to include user domains?
----------------
These are the resources I used to understand the concept:
https://github.com/openstack/python-keystoneclient/blob/stable/kilo/keystoneclient/httpclient.py
http://developer.openstack.org/api-ref-identity-v3.html

The most important statement in the documentation was this one:
"Provide one of the following sets of credentials to authenticate:
User ID and password,
user name and password scoped by domain ID or name,
user ID and password scoped by project ID or name with or without domain scope,
or token."

Probably this class needs an extension: monascaclient.tests.fakes.FakeKeystone

Reviewed: https://review.openstack.org/199564
Committed: https://git.openstack.org/cgit/stackforge/python-monascaclient/commit/?id=6e428c4614265e88bb9112fda4ae452cdaf3a6ab
Submitter: Jenkins
Branch: master

commit 6e428c4614265e88bb9112fda4ae452cdaf3a6ab
Author: Joachim Barheine <email address hidden>
Date: Mon Jul 6 16:28:35 2015 +0000

    support users in domains other than Default (KSv3)

    Closes-Bug: 1471882

    Change-Id: I8574fa3d393dc7a2c9d0470cbf7b9e819a3be0cc

Reviewed: https://review.openstack.org/199632
Committed: https://git.openstack.org/cgit/stackforge/monasca-agent/commit/?id=36f3582da8520ba74cd2132700e914176019ad58
Submitter: Jenkins
Branch: master

commit 36f3582da8520ba74cd2132700e914176019ad58
Author: Joachim Barheine <email address hidden>
Date: Mon Jul 6 16:30:09 2015 +0000

    add support for (user-) domain_id/name

    Closes-Bug: 1471882
    Change-Id: I8574fa3d393dc7a2c9d0470cbf7b9e819a3be0cc

monasca-setup parameters --user_domain_* are dropped because they have not been listed in agent.yaml.template.

agent.yaml.template yet needs to be extended