OpenStack-Ansible

heat domain setup fails with keystone using self signed certs

Bug #1579612 reported by Michael Gale
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Nate Graf
OpenStack-Ansible newton-1

Bug Description

- Using liberty
- tag 12.0.12
- Doing AIO install with horizon and keystone set to SSL

My user_variables.yml was alerted with the following:
--snip--
horizon_ssl: true
horizon_user_ssl_cert: <my_cert_info>
horizon_user_ssl_key: <my_cert_info>
horizon_user_ssl_ca_cert: <my_cert_info>

keystone_ssl: true
keystone_service_adminuri_insecure: true
keystone_service_internaluri_insecure: true

keystone_service_publicuri_proto: 'https'
keystone_service_adminuri_proto: 'https'
keystone_service_internaluri_proto: 'https'

--snip--

If keystone is setup with SSL and self signed certs then the openstack_openrc/templates/openrc adds the insecure flag to commands and aliases.

However in roles/os_heat/tasks/heat_domain_setup.yml the openstack command line client is used with an absolute path, which bypasses the 'openstack --insecure' alias setup in the openrc file. Causing Heat setup to fail.

roles/os_heat/tasks/heat_domain_setup.yml: lines 55 to 100
--snip--
# TODO Change the keystone library to support adding
# a user to a domain without specifying a project
- name: Ensure heat user
  shell: |
    . {{ ansible_env.HOME }}/openrc
    {{ heat_bin }}/openstack \
              --os-identity-api-version=3 \
              --os-auth-url={{ keystone_service_adminurl }} \
              --os-project-name={{ heat_project_name }} \
              --os-project-domain-name={{ heat_project_domain_name }} \
              --os-user-domain-name={{ heat_user_domain_name }} \
              user \
              create \
              --or-show \
              --domain {{ heat_stack_user_domain_name }} \
              --password {{ heat_stack_domain_admin_password }} \
              "{{ heat_stack_domain_admin }}"
  tags:
    - heat-domain
    - heat-domain-setup
    - heat-config
    - heat-command-bin
--snip--

Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
status: New → Confirmed
milestone: none → newton-1
importance: Undecided → Medium
assignee: nobody → Jimmy McCrory (jimmy-mccrory)
OpenStack Infra (hudson-openstack)
Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/314769

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-plugins (master)

Reviewed: https://review.openstack.org/314761
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=2e1492a127923a79ef3189433c4134df98c22502
Submitter: Jenkins
Branch: master

commit 2e1492a127923a79ef3189433c4134df98c22502
Author: Jimmy McCrory <email address hidden>
Date: Tue May 10 13:26:25 2016 -0700

    Support users without projects in keystone library

    Update the ensure_user and ensure_user_role commands and dependent
    functions to allow creation of and role assignment to a user without
    specifying a project.

    This will allow use of the keystone library for creating users, such as
    the heat stack admin, within only a domain.

    Partial-Bug: 1579612
    Change-Id: I0e4c51e772f61d4879716b7b5dbe5c8211cea901

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-plugins (master)

Fix proposed to branch: master
Review: https://review.openstack.org/315227

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-plugins (master)

Reviewed: https://review.openstack.org/315227
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=07d600dcff3aa699a32c5f7b049e54016d53919a
Submitter: Jenkins
Branch: master

commit 07d600dcff3aa699a32c5f7b049e54016d53919a
Author: Jimmy McCrory <email address hidden>
Date: Tue May 10 13:26:25 2016 -0700

    Support users without projects in keystone library

    Update the ensure_user, ensure_user_role, and ensure_group_role commands
    and dependent functions to allow creation of and role assignment to a
    user without specifying a project.
    This will allow use of the keystone library for creating users, such as
    the heat stack admin, within only a domain.

    Since a role can only get granted to either a project or domain at one
    time, only attempt to grant the role within the project if both are
    provided.

    Notifications of state changes for the ensure role commands have also
    been fixed.

    Partial-Bug: 1579612
    Change-Id: I6a132e5407c9881a047037b85bd6e25b85c0d8a1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_heat (master)

Reviewed: https://review.openstack.org/314769
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_heat/commit/?id=b45b74eb4f3fe4f4dd7539ad99fcde4d383ffd72
Submitter: Jenkins
Branch: master

commit b45b74eb4f3fe4f4dd7539ad99fcde4d383ffd72
Author: Jimmy McCrory <email address hidden>
Date: Tue May 10 13:41:27 2016 -0700

    Use keystone library for heat_stack_domain_admin

    The keystone library has been updated to support adding a user to a
    domain and assigning a role without specifying a project.
    Use it instead of shelling out to the openstackclient.

    Closes-Bug: 1579612
    Depends-On: I6a132e5407c9881a047037b85bd6e25b85c0d8a1
    Change-Id: I2659f0496528c29e036c459494a463182e69599d

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
Bjoern (bjoern-t) wrote :

All releases until Liberty are affected, why has this issue not been back ported ?

Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

@Bjoern This caters for an edge case where self-signed certificates are used on the Keystone *Admin* Endpoint. If this is important to you then you're welcome to propose the backport for consideration.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/openstack-ansible-os_heat 14.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-os_heat 14.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-plugins (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/331343

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-plugins (stable/mitaka)

Reviewed: https://review.openstack.org/331343
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-plugins/commit/?id=eba2d7fe08c624904bdd9d272353d3d730fd0156
Submitter: Jenkins
Branch: stable/mitaka

commit eba2d7fe08c624904bdd9d272353d3d730fd0156
Author: Jimmy McCrory <email address hidden>
Date: Tue May 10 13:26:25 2016 -0700

    Support users without projects in keystone library

    Update the ensure_user, ensure_user_role, and ensure_group_role commands
    and dependent functions to allow creation of and role assignment to a
    user without specifying a project.
    This will allow use of the keystone library for creating users, such as
    the heat stack admin, within only a domain.

    Since a role can only get granted to either a project or domain at one
    time, only attempt to grant the role within the project if both are
    provided.

    Notifications of state changes for the ensure role commands have also
    been fixed.

    Partial-Bug: 1579612
    Change-Id: I6a132e5407c9881a047037b85bd6e25b85c0d8a1
    (cherry picked from commit 07d600dcff3aa699a32c5f7b049e54016d53919a)

tags: added: in-stable-mitaka
Revision history for this message
Miguel Alejandro Cantu (miguel-cantu) wrote :

I couldn't change the assigned person on this bug for some reason, but a couple of us here in the castle are going to work on backporting this to liberty.

Changed in openstack-ansible:
assignee: Jimmy McCrory (jimmy-mccrory) → Miguel Alejandro Cantu (miguel-cantu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/347564

Nate Graf (nate-graf)
Changed in openstack-ansible:
assignee: Miguel Alejandro Cantu (miguel-cantu) → nobody
assignee: nobody → Nate Graf (nate-graf)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: liberty
Review: https://review.openstack.org/348330

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_heat (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/348964

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/347564
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=9564b9cec6a9ef7fa024e8de674f28ece76affaf
Submitter: Jenkins
Branch: liberty

commit 9564b9cec6a9ef7fa024e8de674f28ece76affaf
Author: Nate Graf <email address hidden>
Date: Tue Jul 26 22:02:48 2016 +0000

    Support users without projects in keystone library

    Update the ensure_user, ensure_user_role, and ensure_group_role commands
    and dependent functions to allow creation of and role assignment to a
    user without specifying a project.
    This will allow use of the keystone library for creating users, such as
    the heat stack admin, within only a domain.

    Since a role can only get granted to either a project or domain at one
    time, only attempt to grant the role within the project if both are
    provided.

    Notifications of state changes for the ensure role commands have also
    been fixed.

    Backport for change I6a132e5407c9881a047037b85bd6e25b85c0d8a1

    Partial-Bug: 1579612
    Change-Id: If515ec94e980365ebd38781498ee541df2f3d431

tags: added: in-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_heat (stable/mitaka)

Reviewed: https://review.openstack.org/348964
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_heat/commit/?id=f1023388994dd183987fcc75ca365de1710dfc49
Submitter: Jenkins
Branch: stable/mitaka

commit f1023388994dd183987fcc75ca365de1710dfc49
Author: Jimmy McCrory <email address hidden>
Date: Tue May 10 13:41:27 2016 -0700

    Use keystone library for heat_stack_domain_admin

    The keystone library has been updated to support adding a user to a
    domain and assigning a role without specifying a project.
    Use it instead of shelling out to the openstackclient.

    Closes-Bug: 1579612
    Depends-On: I6a132e5407c9881a047037b85bd6e25b85c0d8a1
    Change-Id: I2659f0496528c29e036c459494a463182e69599d
    (cherry picked from commit b45b74eb4f3fe4f4dd7539ad99fcde4d383ffd72)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/348330
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=da8c5e2ec0294064349bfd14417bfb307a322447
Submitter: Jenkins
Branch: liberty

commit da8c5e2ec0294064349bfd14417bfb307a322447
Author: Nate Graf <email address hidden>
Date: Thu Jul 28 13:49:58 2016 +0000

    Use keystone library for heat_stack_domain_admin

    The keystone library has been updated to support adding a user to a
    domain and assigning a role without specifying a project.
    Use it instead of shelling out to the openstackclient.

    Backport for change I2659f0496528c29e036c459494a463182e69599d

    Closes-Bug: 1579612
    Depends-On: If515ec94e980365ebd38781498ee541df2f3d431
    Change-Id: I79ac6820c03ddbb2df33d123bddfa917613f033d

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible 12.2.1

This issue was fixed in the openstack/openstack-ansible 12.2.1 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-os_heat 13.3.2

This issue was fixed in the openstack/openstack-ansible-os_heat 13.3.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.