yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1459179] [NEW] User heat has no access to domain default when using Keystone v3 with multi-domain-driver

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Marcel Jordan <mortzel@xxxxxxx>
Date: Wed, 27 May 2015 09:49:31 -0000
Reply-to: Bug 1459179 <1459179@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When using Keystone v3 with multi-domain-driver in Juno on Centos, I
cann't deploy heat stack, because the heat user has no access to default
domain wich runs on sql

default -> SQL -> service user and heat
dom -> LDAP -> AD user

---- /var/log/heat/heat.log ----
2015-05-27 11:38:42.502 13632 DEBUG heat.engine.stack_lock [-] Engine 651cdcf1-49cb-4ca4-9436-35ff538666ed acquired lock on stack 22a20e5a-901b-436c-9c8c-e603bc79015b acquire /usr/lib/python2.7/site-packages/heat/engine/stack_lock.py:72
2015-05-27 11:38:42.503 13632 DEBUG keystoneclient.auth.identity.v3 [-] Making authentication request to http://172.16.89.1:5000/v3/auth/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3.py:117
2015-05-27 11:38:42.504 13632 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 172.16.89.1
2015-05-27 11:38:42.579 13632 DEBUG urllib3.connectionpool [-] "POST /v3/auth/tokens HTTP/1.1" 401 181 _make_request /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:357
2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.session [-] Request returned failure status: 401 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345
2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.v3.client [-] Authorization failed. get_raw_token_from_identity_service /usr/lib/python2.7/site-packages/keystoneclient/v3/client.py:267

---- /var/log/keystone/keystone.log ----
2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
2015-05-27 11:38:42.265 8847 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$
2015-05-27 11:38:42.266 8847 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:55
2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60
2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
2015-05-27 11:38:42.270 8847 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u$
2015-05-27 11:38:42.270 8847 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155
2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
2015-05-27 11:38:42.274 8847 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "GET /v3/auth/tokens HTTP/1.1" 200 7887 0.012976
2015-05-27 11:38:42.343 8849 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270
2015-05-27 11:38:42.345 8849 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
2015-05-27 11:38:42.441 8849 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 201 7902 0.097828
2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
2015-05-27 11:38:42.450 8852 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$
2015-05-27 11:38:42.452 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_trust(trust={u'impersonation': True, u'project_id': u'b00f98aa1d89401a86bb30baf9bea664', u'trustor_user_id': u'c287350c73ef4410ad17326eee$
2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60
2015-05-27 11:38:42.453 8852 DEBUG keystone.policy.backends.rules [-] enforce identity:create_trust: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'a$
2015-05-27 11:38:42.453 8852 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155
2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
2015-05-27 11:38:42.480 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/OS-TRUST/trusts HTTP/1.1" 201 845 0.034633
2015-05-27 11:38:42.506 8852 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270
2015-05-27 11:38:42.508 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
2015-05-27 11:38:42.576 8852 DEBUG keystone.token.providers.common [-] User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default _populate_roles /usr/lib/python2.7/site-packages/keystone/token/providers/common.py:309
2015-05-27 11:38:42.577 8852 WARNING keystone.common.wsgi [-] Authorization failed. User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default (Disable debug mode to suppress these details.) (Disable debug mode to suppress the$
2015-05-27 11:38:42.579 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 401 378 0.072790

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1459179

Title:
  User heat has no access to domain default when using Keystone v3 with
  multi-domain-driver

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using Keystone v3 with multi-domain-driver in Juno on Centos, I
  cann't deploy heat stack, because the heat user has no access to
  default domain wich runs on sql

  default -> SQL -> service user and heat
  dom -> LDAP -> AD user

  ---- /var/log/heat/heat.log ----
  2015-05-27 11:38:42.502 13632 DEBUG heat.engine.stack_lock [-] Engine 651cdcf1-49cb-4ca4-9436-35ff538666ed acquired lock on stack 22a20e5a-901b-436c-9c8c-e603bc79015b acquire /usr/lib/python2.7/site-packages/heat/engine/stack_lock.py:72
  2015-05-27 11:38:42.503 13632 DEBUG keystoneclient.auth.identity.v3 [-] Making authentication request to http://172.16.89.1:5000/v3/auth/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3.py:117
  2015-05-27 11:38:42.504 13632 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 172.16.89.1
  2015-05-27 11:38:42.579 13632 DEBUG urllib3.connectionpool [-] "POST /v3/auth/tokens HTTP/1.1" 401 181 _make_request /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:357
  2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.session [-] Request returned failure status: 401 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345
  2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.v3.client [-] Authorization failed. get_raw_token_from_identity_service /usr/lib/python2.7/site-packages/keystoneclient/v3/client.py:267

  ---- /var/log/keystone/keystone.log ----
  2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
  2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
  2015-05-27 11:38:42.265 8847 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$
  2015-05-27 11:38:42.266 8847 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
  2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:55
  2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60
  2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
  2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
  2015-05-27 11:38:42.270 8847 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u$
  2015-05-27 11:38:42.270 8847 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155
  2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
  2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
  2015-05-27 11:38:42.274 8847 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "GET /v3/auth/tokens HTTP/1.1" 200 7887 0.012976
  2015-05-27 11:38:42.343 8849 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270
  2015-05-27 11:38:42.345 8849 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
  2015-05-27 11:38:42.441 8849 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 201 7902 0.097828
  2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
  2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
  2015-05-27 11:38:42.450 8852 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$
  2015-05-27 11:38:42.452 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
  2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_trust(trust={u'impersonation': True, u'project_id': u'b00f98aa1d89401a86bb30baf9bea664', u'trustor_user_id': u'c287350c73ef4410ad17326eee$
  2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60
  2015-05-27 11:38:42.453 8852 DEBUG keystone.policy.backends.rules [-] enforce identity:create_trust: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'a$
  2015-05-27 11:38:42.453 8852 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155
  2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380
  2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399
  2015-05-27 11:38:42.480 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/OS-TRUST/trusts HTTP/1.1" 201 845 0.034633
  2015-05-27 11:38:42.506 8852 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270
  2015-05-27 11:38:42.508 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191
  2015-05-27 11:38:42.576 8852 DEBUG keystone.token.providers.common [-] User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default _populate_roles /usr/lib/python2.7/site-packages/keystone/token/providers/common.py:309
  2015-05-27 11:38:42.577 8852 WARNING keystone.common.wsgi [-] Authorization failed. User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default (Disable debug mode to suppress these details.) (Disable debug mode to suppress the$
  2015-05-27 11:38:42.579 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 401 378 0.072790

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1459179/+subscriptions
Follow ups

[Bug 1459179] Re: User heat has no access to domain default when using Keystone v3 with multi-domain-driver
From: Launchpad Bug Tracker, 2016-04-22
[Bug 1459179] [NEW] User heat has no access to domain default when using Keystone v3 with multi-domain-driver
From: Marcel Jordan, 2015-05-27
References

[Bug 1459179] [NEW] User heat has no access to domain default when using Keystone v3 with multi-domain-driver
From: Marcel Jordan, 2015-05-27