yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #31210
[Bug 1441379] Re: rally deployment create failed on schema validation, if using domain scoped token deployment
For example, if source the project scoped token that rally config support at the current phase, role list failed with the same 401 error:
$ . ~/.rally/openrc
OS_REGION_NAME=regionOne
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=default
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=admin
OS_AUTH_URL=https://localhost:5000/v3/
OS_USERNAME=admin
OS_CACERT=/usr/local/share/ca-certificates/ephemeralca-cacert.crt
OS_PROJECT_DOMAIN_NAME=Default
cetest@cer305n0016:~/ysong/rally/environments$ openstack role list
ERROR: openstack The request you have made requires authentication. (HTTP 401)
** Description changed:
For keystone v3 testing, most test should based on domain scoped token but not project scoped token. And either domain_name/domain_id is required for keystone v3 domain scoped token. Rally need to pick up either domain_id or domain_name in its v3 config, in order to work with keystone v3:
Failed validating 'anyOf' in schema:
- {'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
- 'required': ['type', 'auth_url', 'admin']},
- {'required': ['type', 'auth_url', 'users'],
- 'users': {'items': {'$ref': '#/definitions/user'},
- 'type': 'array'}}],
- 'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
- 'required': ['username',
- 'password',
- 'tenant_name']},
- {'properties': {'project_domain_name': {'type': 'string'},
- 'project_name': {'type': 'string'},
- 'user_domain_name': {'type': 'string'}},
- 'required': ['username',
- 'password',
- 'project_name']}],
- 'properties': {'password': {'type': 'string'},
- 'username': {'type': 'string'}},
- 'type': 'object'}},
- 'properties': {'auth_url': {'type': 'string'},
- 'endpoint_type': {'enum': ['admin',
- 'internal',
- 'public'],
- 'type': 'string'},
- 'region_name': {'type': 'string'},
- 'type': {'type': 'string'}},
- 'type': 'object'}
-
+ {'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
+ 'required': ['type', 'auth_url', 'admin']},
+ {'required': ['type', 'auth_url', 'users'],
+ 'users': {'items': {'$ref': '#/definitions/user'},
+ 'type': 'array'}}],
+ 'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
+ 'required': ['username',
+ 'password',
+ 'tenant_name']},
+ {'properties': {'project_domain_name': {'type': 'string'},
+ 'project_name': {'type': 'string'},
+ 'user_domain_name': {'type': 'string'}},
+ 'required': ['username',
+ 'password',
+ 'project_name']}],
+ 'properties': {'password': {'type': 'string'},
+ 'username': {'type': 'string'}},
+ 'type': 'object'}},
+ 'properties': {'auth_url': {'type': 'string'},
+ 'endpoint_type': {'enum': ['admin',
+ 'internal',
+ 'public'],
+ 'type': 'string'},
+ 'region_name': {'type': 'string'},
+ 'type': {'type': 'string'}},
+ 'type': 'object'}
Here's a test:
Project scoped token deployment looks fine, but domain scoped token deployment failed. Check the following test:
1. Project scoped token deploy:
$ cat m.json
{
- "admin": {
- "project_name": "admin",
- "password": "admin",
- "project_domain_name": "Default",
- "user_domain_name": "Default",
- "username": "admin"
- },
- "auth_url": "https://localhost:5000/v3/";,
- "endpoint_type": "public",
- "https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
- "https_insecure": False,
- "region_name": "regionOne",
- "type": "ExistingCloud",
+ "admin": {
+ "project_name": "admin",
+ "password": "admin",
+ "project_domain_name": "Default",
+ "user_domain_name": "Default",
+ "username": "admin"
+ },
+ "auth_url": "https://localhost:5000/v3/";,
+ "endpoint_type": "public",
+ "https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
+ "https_insecure": False,
+ "region_name": "regionOne",
+ "type": "ExistingCloud",
}
$ rally deployment create --filename=m.json --name=apaltestHAKVMv3
+--------------------------------------+----------------------------+-----------------+------------------+--------+
| uuid | created_at | name | status | active |
+--------------------------------------+----------------------------+-----------------+------------------+--------+
| 01ca22c6-9ad0-422b-ae77-7e9d863234b0 | 2015-04-07 22:33:55.921296 | apaltestHAKVMv3 | deploy->finished | |
+--------------------------------------+----------------------------+-----------------+------------------+--------+
Using deployment: 01ca22c6-9ad0-422b-ae77-7e9d863234b0
~/.rally/openrc was updated
HINTS:
* To get your cloud resources, run:
- rally show [flavors|images|keypairs|networks|secgroups]
+ rally show [flavors|images|keypairs|networks|secgroups]
* To use standard OpenStack clients, set up your env by running:
- source ~/.rally/openrc
- OpenStack clients are now configured, e.g run:
- glance image-list
+ source ~/.rally/openrc
+ OpenStack clients are now configured, e.g run:
+ glance image-list
$ rally deployment check
keystone endpoints are valid and following services are available:
+------------+---------------+-----------+
| services | type | status |
+------------+---------------+-----------+
| ceilometer | metering | Available |
| cinder | volume | Available |
| cinderv2 | volumev2 | Available |
| ec2 | ec2 | Available |
| glance | image | Available |
| heat | orchestration | Available |
| keystone | identity | Available |
| neutron | network | Available |
| nova | compute | Available |
| sherpa | hp-catalog | Available |
| swift | object-store | Available |
+------------+---------------+-----------+
+ $ rally task start ../keystonecase/apaldebug-create-1-user.json
+ --------------------------------------------------------------------------------
+ Preparing input task
+ --------------------------------------------------------------------------------
- 2. Project scoped token deploy failed: - I just updated one line in this
- config -> from ""project_name": "admin"," to ""domain_name":
- "Default",":
+ Input task is:
+ {
+ "KeystoneBasic.create_user": [
+ {
+ "args": {
+ "name_length": 10
+ },
+ "runner": {
+ "type": "constant",
+ "times": 1,
+ "concurrency": 1
+ }
+ }
+ ]
+ }
+
+ --------------------------------------------------------------------------------
+ Task 76a1c52c-b085-4243-ae47-4f5cfaab8091: started
+ --------------------------------------------------------------------------------
+
+ Benchmarking... This can take a while...
+
+ To track task status use:
+
+ rally task status
+ or
+ rally task detailed
+
+ 2015-04-07 22:34:40.916 20445 WARNING rally.common.broker [-] Failed to
+ consume a task from the queue: You are not authorized to perform the
+ requested action: identity:get_domain (HTTP 403)
+
+ --------------------------------------------------------------------------------
+ Task 76a1c52c-b085-4243-ae47-4f5cfaab8091: failed
+ --------------------------------------------------------------------------------
+ <class 'rally.exceptions.ContextSetupFailure'>
+ Unable to setup context 'users': 'Failed to create the requested number of tenants.'
+
+ For more details run:
+ rally -vd task detailed 76a1c52c-b085-4243-ae47-4f5cfaab8091
+ Using task: 76a1c52c-b085-4243-ae47-4f5cfaab8091
+
+
+ 2. Project scoped token deploy failed: - I just updated one line in this config -> from ""project_name": "admin"," to ""domain_name": "Default",":
$ cat u.json
{
- "admin": {
- "domain_name": "Default",
- "password": "admin",
- "project_domain_name": "Default",
- "user_domain_name": "Default",
- "username": "admin"
- },
- "auth_url": "https://localhost:5000/v3/";,
- "endpoint_type": "public",
- "https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
- "https_insecure": False,
- "region_name": "regionOne",
- "type": "ExistingCloud",
+ "admin": {
+ "domain_name": "Default",
+ "password": "admin",
+ "project_domain_name": "Default",
+ "user_domain_name": "Default",
+ "username": "admin"
+ },
+ "auth_url": "https://localhost:5000/v3/";,
+ "endpoint_type": "public",
+ "https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
+ "https_insecure": False,
+ "region_name": "regionOne",
+ "type": "ExistingCloud",
}
$ rally deployment create --filename=u.json --name=apaltestHAKVMv3
2015-04-07 22:36:18.996 20739 ERROR rally.api [-] Deployment 44f819e6-deb9-4109-a52b-f751825e7f9c: Schema validation error.
Config schema validation error: {'endpoint_type': 'public', 'auth_url': 'https://localhost:5000/v3/', 'region_name': 'regionOne', 'https_insecure': False, 'admin': {'username': 'admin', 'user_domain_name': 'Default', 'password': 'admin', 'domain_name': 'Default', 'project_domain_name': 'Default'}, 'https_cacert': '/usr/local/share/ca-certificates/ephemeralca-cacert.crt', 'type': 'ExistingCloud'} is not valid under any of the given schemas
Failed validating 'anyOf' in schema:
- {'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
- 'required': ['type', 'auth_url', 'admin']},
- {'required': ['type', 'auth_url', 'users'],
- 'users': {'items': {'$ref': '#/definitions/user'},
- 'type': 'array'}}],
- 'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
- 'required': ['username',
- 'password',
- 'tenant_name']},
- {'properties': {'project_domain_name': {'type': 'string'},
- 'project_name': {'type': 'string'},
- 'user_domain_name': {'type': 'string'}},
- 'required': ['username',
- 'password',
- 'project_name']}],
- 'properties': {'password': {'type': 'string'},
- 'username': {'type': 'string'}},
- 'type': 'object'}},
- 'properties': {'auth_url': {'type': 'string'},
- 'endpoint_type': {'enum': ['admin',
- 'internal',
- 'public'],
- 'type': 'string'},
- 'region_name': {'type': 'string'},
- 'type': {'type': 'string'}},
- 'type': 'object'}
+ {'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
+ 'required': ['type', 'auth_url', 'admin']},
+ {'required': ['type', 'auth_url', 'users'],
+ 'users': {'items': {'$ref': '#/definitions/user'},
+ 'type': 'array'}}],
+ 'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
+ 'required': ['username',
+ 'password',
+ 'tenant_name']},
+ {'properties': {'project_domain_name': {'type': 'string'},
+ 'project_name': {'type': 'string'},
+ 'user_domain_name': {'type': 'string'}},
+ 'required': ['username',
+ 'password',
+ 'project_name']}],
+ 'properties': {'password': {'type': 'string'},
+ 'username': {'type': 'string'}},
+ 'type': 'object'}},
+ 'properties': {'auth_url': {'type': 'string'},
+ 'endpoint_type': {'enum': ['admin',
+ 'internal',
+ 'public'],
+ 'type': 'string'},
+ 'region_name': {'type': 'string'},
+ 'type': {'type': 'string'}},
+ 'type': 'object'}
On instance:
- {'admin': {'domain_name': 'Default',
- 'password': 'admin',
- 'project_domain_name': 'Default',
- 'user_domain_name': 'Default',
- 'username': 'admin'},
- 'auth_url': 'https://localhost:5000/v3/',
- 'endpoint_type': 'public',
- 'https_cacert': '/usr/local/share/ca-certificates/ephemeralca-cacert.crt',
- 'https_insecure': False,
- 'region_name': 'regionOne',
- 'type': 'ExistingCloud'}.
+ {'admin': {'domain_name': 'Default',
+ 'password': 'admin',
+ 'project_domain_name': 'Default',
+ 'user_domain_name': 'Default',
+ 'username': 'admin'},
+ 'auth_url': 'https://localhost:5000/v3/',
+ 'endpoint_type': 'public',
+ 'https_cacert': '/usr/local/share/ca-certificates/ephemeralca-cacert.crt',
+ 'https_insecure': False,
+ 'region_name': 'regionOne',
+ 'type': 'ExistingCloud'}.
** Summary changed:
- rally deployment create failed on schema validation, if using domain scoped token deployment
+ Need Rally deployment create support on domain_id or domain_name in order to support keystone v3 test (which needs domain scoped token). The current project scoped token only works in service API but not keystone v3 API (DTUG domain, user, group...).
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1441379
Title:
Need Rally deployment create support on domain_id or domain_name in
order to support keystone v3 test (which needs domain scoped token).
The current project scoped token only works in service API but not
keystone v3 API (DTUG domain, user, group...).
Status in OpenStack Identity (Keystone):
New
Status in Rally:
New
Bug description:
For keystone v3 testing, most test should based on domain scoped token but not project scoped token. And either domain_name/domain_id is required for keystone v3 domain scoped token. Rally need to pick up either domain_id or domain_name in its v3 config, in order to work with keystone v3:
Failed validating 'anyOf' in schema:
{'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
'required': ['type', 'auth_url', 'admin']},
{'required': ['type', 'auth_url', 'users'],
'users': {'items': {'$ref': '#/definitions/user'},
'type': 'array'}}],
'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
'required': ['username',
'password',
'tenant_name']},
{'properties': {'project_domain_name': {'type': 'string'},
'project_name': {'type': 'string'},
'user_domain_name': {'type': 'string'}},
'required': ['username',
'password',
'project_name']}],
'properties': {'password': {'type': 'string'},
'username': {'type': 'string'}},
'type': 'object'}},
'properties': {'auth_url': {'type': 'string'},
'endpoint_type': {'enum': ['admin',
'internal',
'public'],
'type': 'string'},
'region_name': {'type': 'string'},
'type': {'type': 'string'}},
'type': 'object'}
Here's a test:
Project scoped token deployment looks fine, but domain scoped token deployment failed. Check the following test:
1. Project scoped token deploy:
$ cat m.json
{
"admin": {
"project_name": "admin",
"password": "admin",
"project_domain_name": "Default",
"user_domain_name": "Default",
"username": "admin"
},
"auth_url": "https://localhost:5000/v3/";,
"endpoint_type": "public",
"https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
"https_insecure": False,
"region_name": "regionOne",
"type": "ExistingCloud",
}
$ rally deployment create --filename=m.json --name=apaltestHAKVMv3
+--------------------------------------+----------------------------+-----------------+------------------+--------+
| uuid | created_at | name | status | active |
+--------------------------------------+----------------------------+-----------------+------------------+--------+
| 01ca22c6-9ad0-422b-ae77-7e9d863234b0 | 2015-04-07 22:33:55.921296 | apaltestHAKVMv3 | deploy->finished | |
+--------------------------------------+----------------------------+-----------------+------------------+--------+
Using deployment: 01ca22c6-9ad0-422b-ae77-7e9d863234b0
~/.rally/openrc was updated
HINTS:
* To get your cloud resources, run:
rally show [flavors|images|keypairs|networks|secgroups]
* To use standard OpenStack clients, set up your env by running:
source ~/.rally/openrc
OpenStack clients are now configured, e.g run:
glance image-list
$ rally deployment check
keystone endpoints are valid and following services are available:
+------------+---------------+-----------+
| services | type | status |
+------------+---------------+-----------+
| ceilometer | metering | Available |
| cinder | volume | Available |
| cinderv2 | volumev2 | Available |
| ec2 | ec2 | Available |
| glance | image | Available |
| heat | orchestration | Available |
| keystone | identity | Available |
| neutron | network | Available |
| nova | compute | Available |
| sherpa | hp-catalog | Available |
| swift | object-store | Available |
+------------+---------------+-----------+
$ rally task start ../keystonecase/apaldebug-create-1-user.json
--------------------------------------------------------------------------------
Preparing input task
--------------------------------------------------------------------------------
Input task is:
{
"KeystoneBasic.create_user": [
{
"args": {
"name_length": 10
},
"runner": {
"type": "constant",
"times": 1,
"concurrency": 1
}
}
]
}
--------------------------------------------------------------------------------
Task 76a1c52c-b085-4243-ae47-4f5cfaab8091: started
--------------------------------------------------------------------------------
Benchmarking... This can take a while...
To track task status use:
rally task status
or
rally task detailed
2015-04-07 22:34:40.916 20445 WARNING rally.common.broker [-] Failed
to consume a task from the queue: You are not authorized to perform
the requested action: identity:get_domain (HTTP 403)
--------------------------------------------------------------------------------
Task 76a1c52c-b085-4243-ae47-4f5cfaab8091: failed
--------------------------------------------------------------------------------
<class 'rally.exceptions.ContextSetupFailure'>
Unable to setup context 'users': 'Failed to create the requested number of tenants.'
For more details run:
rally -vd task detailed 76a1c52c-b085-4243-ae47-4f5cfaab8091
Using task: 76a1c52c-b085-4243-ae47-4f5cfaab8091
2. Project scoped token deploy failed: - I just updated one line in this config -> from ""project_name": "admin"," to ""domain_name": "Default",":
$ cat u.json
{
"admin": {
"domain_name": "Default",
"password": "admin",
"project_domain_name": "Default",
"user_domain_name": "Default",
"username": "admin"
},
"auth_url": "https://localhost:5000/v3/";,
"endpoint_type": "public",
"https_cacert": "/usr/local/share/ca-certificates/ephemeralca-cacert.crt",
"https_insecure": False,
"region_name": "regionOne",
"type": "ExistingCloud",
}
$ rally deployment create --filename=u.json --name=apaltestHAKVMv3
2015-04-07 22:36:18.996 20739 ERROR rally.api [-] Deployment 44f819e6-deb9-4109-a52b-f751825e7f9c: Schema validation error.
Config schema validation error: {'endpoint_type': 'public', 'auth_url': 'https://localhost:5000/v3/', 'region_name': 'regionOne', 'https_insecure': False, 'admin': {'username': 'admin', 'user_domain_name': 'Default', 'password': 'admin', 'domain_name': 'Default', 'project_domain_name': 'Default'}, 'https_cacert': '/usr/local/share/ca-certificates/ephemeralca-cacert.crt', 'type': 'ExistingCloud'} is not valid under any of the given schemas
Failed validating 'anyOf' in schema:
{'anyOf': [{'properties': {'admin': {'$ref': '#/definitions/user'}},
'required': ['type', 'auth_url', 'admin']},
{'required': ['type', 'auth_url', 'users'],
'users': {'items': {'$ref': '#/definitions/user'},
'type': 'array'}}],
'definitions': {'user': {'oneOf': [{'properties': {'tenant_name': {'type': 'string'}},
'required': ['username',
'password',
'tenant_name']},
{'properties': {'project_domain_name': {'type': 'string'},
'project_name': {'type': 'string'},
'user_domain_name': {'type': 'string'}},
'required': ['username',
'password',
'project_name']}],
'properties': {'password': {'type': 'string'},
'username': {'type': 'string'}},
'type': 'object'}},
'properties': {'auth_url': {'type': 'string'},
'endpoint_type': {'enum': ['admin',
'internal',
'public'],
'type': 'string'},
'region_name': {'type': 'string'},
'type': {'type': 'string'}},
'type': 'object'}
On instance:
{'admin': {'domain_name': 'Default',
'password': 'admin',
'project_domain_name': 'Default',
'user_domain_name': 'Default',
'username': 'admin'},
'auth_url': 'https://localhost:5000/v3/',
'endpoint_type': 'public',
'https_cacert': '/usr/local/share/ca-certificates/ephemeralca-cacert.crt',
'https_insecure': False,
'region_name': 'regionOne',
'type': 'ExistingCloud'}.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1441379/+subscriptions
