yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19586
[Bug 1362181] [NEW] Multi-domain has problems with domain drivers
Public bug reported:
My Environment
--------------
I've install RDO Openstack Icehouse, then I've upgrade to keystone-2014.2.b2 from launchpad tarball. I'm using SQL (not LDAP). With standard installation, we have only 1 domain, the "default" domain. I did not configure nothing more.
What I want to achieve
----------------------
Now, I want to configure multidomain feature on Keystone Juno 2 and I'm following the official documentation http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
The problem
------------
If I execute this command:
$ curl --insecure -H "X-Auth-Token:ADMIN" http://localhost:5000/v3/users
Ok, no problems, Keystone returns the json user list. Now, I'll
configure multi-domain feature.
1.- Edit /etc/keystone/keystone.conf file like
- # domain_specific_drivers_enabled=False
+ domain_specific_drivers_enabled=True
- # domain_config_dir=/etc/keystone/domains
+ domain_config_dir=/etc/keystone/domains
2.- Create default domain file.
2.1 cd /etc/keystone; mkdir domains; chown keystone:keystone domains; cd domains;
2.2 vim keystone.default.conf
[identity]
driver = keystone.identity.backends.sql.Identity
[ldap]
2.3 chown keystone:keystone keystone.default.conf
3.- service openstack-keystone restart
Now, if try the same CURL command I obtain this error:
$ curl --insecure -H "X-Auth-Token:ADMIN" http://localhost:5000/v3/users
{
"error": {
"code": 401,
"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)",
"title": "Unauthorized"
}
}
And, in the log file, I have 3 different errors:
2014-08-27 15:25:43.669 23078 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:286
2014-08-27 15:25:43.764 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:25:43.765 23078 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
2014-08-27 15:25:48.051 23078 DEBUG oslo.db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _mysql_check_effective_sql_mode /usr/lib/python2.6/site-packages/oslo/db/sqlalchemy/session.py:401
2014-08-27 15:25:48.081 23078 WARNING keystone.common.controller [-] Invalid token found while getting domain ID for list request
2014-08-27 15:25:48.084 23078 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 127.0.0.1
2014-08-27 15:25:48.090 23078 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [27/Aug/2014 15:25:48] "GET /v3/users HTTP/1.1" 401 357 4.421301
And some seconds later, keystone raises this error:
2014-08-27 15:26:35.707 23078 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:276
2014-08-27 15:26:35.731 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:26:35.741 23078 ERROR keystone.common.wsgi [-] object.__init__() takes no parameters
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 212, in __call__
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi result = method(context, **params)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 99, in authenticate
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi context, auth)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 279, in _authenticate_local
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 181, in wrapper
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self.driver, self.assignment_api)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 137, in setup_domain_drivers
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi -len(DOMAIN_CONF_FTAIL)])
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 116, in _load_config
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self._load_driver(assignment_api, domain)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 93, in _load_driver
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi domain_config['cfg'].identity.driver, domain_config['cfg']))
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/openstack/common/importutils.py", line 38, in import_object
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi return import_class(import_str)(*args, **kwargs)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/dependency.py", line 166, in wrapper
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self.__wrapped_init__(*args, **kwargs)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi TypeError: object.__init__() takes no parameters
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi
2014-08-27 15:26:35.744 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:26:35] "POST /v2.0/tokens HTTP/1.1" 400 238 0.036876
After that, keystone raises this error every X seconds for ever
2014-08-27 15:26:46.683 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:26:46] "POST /v2.0/tokens HTTP/1.1" 500 348 0.005080
2014-08-27 15:27:02.864 23078 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:276
2014-08-27 15:27:02.867 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:27:02.868 23078 ERROR keystone.common.wsgi [-] 'driver'
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 212, in __call__
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi result = method(context, **params)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 99, in authenticate
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi context, auth)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 279, in _authenticate_local
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 182, in wrapper
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 193, in wrapper
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 555, in get_user_by_name
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi driver = self._select_identity_driver(domain_id)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 372, in _select_identity_driver
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi driver = (self.domain_configs.get_domain_driver(domain_id) or
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 145, in get_domain_driver
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return self[domain_id]['driver']
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi KeyError: 'driver'
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi
2014-08-27 15:27:02.873 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:27:02] "POST /v2.0/tokens HTTP/1.1" 500 348 0.009450
It is suppose that multidomain feature is ready on Juno 2 (correct me if
I'm wrong) but I think that there are some problems. I don't know if it
is related with this bug
https://bugs.launchpad.net/keystone/+bug/1217017
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1362181
Title:
Multi-domain has problems with domain drivers
Status in OpenStack Identity (Keystone):
New
Bug description:
My Environment
--------------
I've install RDO Openstack Icehouse, then I've upgrade to keystone-2014.2.b2 from launchpad tarball. I'm using SQL (not LDAP). With standard installation, we have only 1 domain, the "default" domain. I did not configure nothing more.
What I want to achieve
----------------------
Now, I want to configure multidomain feature on Keystone Juno 2 and I'm following the official documentation http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers
The problem
------------
If I execute this command:
$ curl --insecure -H "X-Auth-Token:ADMIN"
http://localhost:5000/v3/users
Ok, no problems, Keystone returns the json user list. Now, I'll
configure multi-domain feature.
1.- Edit /etc/keystone/keystone.conf file like
- # domain_specific_drivers_enabled=False
+ domain_specific_drivers_enabled=True
- # domain_config_dir=/etc/keystone/domains
+ domain_config_dir=/etc/keystone/domains
2.- Create default domain file.
2.1 cd /etc/keystone; mkdir domains; chown keystone:keystone domains; cd domains;
2.2 vim keystone.default.conf
[identity]
driver = keystone.identity.backends.sql.Identity
[ldap]
2.3 chown keystone:keystone keystone.default.conf
3.- service openstack-keystone restart
Now, if try the same CURL command I obtain this error:
$ curl --insecure -H "X-Auth-Token:ADMIN" http://localhost:5000/v3/users
{
"error": {
"code": 401,
"message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)",
"title": "Unauthorized"
}
}
And, in the log file, I have 3 different errors:
2014-08-27 15:25:43.669 23078 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:286
2014-08-27 15:25:43.764 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:25:43.765 23078 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
2014-08-27 15:25:48.051 23078 DEBUG oslo.db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _mysql_check_effective_sql_mode /usr/lib/python2.6/site-packages/oslo/db/sqlalchemy/session.py:401
2014-08-27 15:25:48.081 23078 WARNING keystone.common.controller [-] Invalid token found while getting domain ID for list request
2014-08-27 15:25:48.084 23078 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 127.0.0.1
2014-08-27 15:25:48.090 23078 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [27/Aug/2014 15:25:48] "GET /v3/users HTTP/1.1" 401 357 4.421301
And some seconds later, keystone raises this error:
2014-08-27 15:26:35.707 23078 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:276
2014-08-27 15:26:35.731 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:26:35.741 23078 ERROR keystone.common.wsgi [-] object.__init__() takes no parameters
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 212, in __call__
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi result = method(context, **params)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 99, in authenticate
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi context, auth)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 279, in _authenticate_local
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 181, in wrapper
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self.driver, self.assignment_api)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 137, in setup_domain_drivers
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi -len(DOMAIN_CONF_FTAIL)])
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 116, in _load_config
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self._load_driver(assignment_api, domain)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 93, in _load_driver
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi domain_config['cfg'].identity.driver, domain_config['cfg']))
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/openstack/common/importutils.py", line 38, in import_object
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi return import_class(import_str)(*args, **kwargs)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/dependency.py", line 166, in wrapper
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi self.__wrapped_init__(*args, **kwargs)
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi TypeError: object.__init__() takes no parameters
2014-08-27 15:26:35.741 23078 TRACE keystone.common.wsgi
2014-08-27 15:26:35.744 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:26:35] "POST /v2.0/tokens HTTP/1.1" 400 238 0.036876
After that, keystone raises this error every X seconds for ever
2014-08-27 15:26:46.683 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:26:46] "POST /v2.0/tokens HTTP/1.1" 500 348 0.005080
2014-08-27 15:27:02.864 23078 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.6/site-packages/keystone/middleware/core.py:276
2014-08-27 15:27:02.867 23078 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-08-27 15:27:02.868 23078 ERROR keystone.common.wsgi [-] 'driver'
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi Traceback (most recent call last):
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/common/wsgi.py", line 212, in __call__
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi result = method(context, **params)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 99, in authenticate
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi context, auth)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/token/controllers.py", line 279, in _authenticate_local
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi username, CONF.identity.default_domain_id)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 182, in wrapper
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 193, in wrapper
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return f(self, *args, **kwargs)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 555, in get_user_by_name
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi driver = self._select_identity_driver(domain_id)
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 372, in _select_identity_driver
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi driver = (self.domain_configs.get_domain_driver(domain_id) or
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi File "/usr/lib/python2.6/site-packages/keystone/identity/core.py", line 145, in get_domain_driver
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi return self[domain_id]['driver']
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi KeyError: 'driver'
2014-08-27 15:27:02.868 23078 TRACE keystone.common.wsgi
2014-08-27 15:27:02.873 23078 INFO eventlet.wsgi.server [-] 128.142.152.106 - - [27/Aug/2014 15:27:02] "POST /v2.0/tokens HTTP/1.1" 500 348 0.009450
It is suppose that multidomain feature is ready on Juno 2 (correct me
if I'm wrong) but I think that there are some problems. I don't know
if it is related with this bug
https://bugs.launchpad.net/keystone/+bug/1217017
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1362181/+subscriptions
Follow ups
References
