So trying to get auth not scoped to a project but domain instead, I get this:
failed: [primary] (item={u'service_type': u'identity', u'name': u'keystone'})
=> {
"action": "os_keystone_service",
"attempts": 5,
"changed": false,
"invocation": {
"module_args": {
"api_version": "auto",
"module_args": {
"auth": {
"auth_url": "http://192.0.2.10:35357";,
"domain_name": "default",
"password": "9PJVm6kJI1k00JgNzhXpRAosMAXBkIqSSmDYDwR3",
"user_domain_name": "default",
"username": "admin"
},
"cacert": "",
"description": "Openstack Identity Service",
"interface": "admin",
"name": "keystone",
"region_name": "RegionOne",
"service_type": "identity"
},
"module_extra_vars": null,
"module_name": "os_keystone_service",
"timeout": 180,
"user": null
}
},
"item": {
"description": "Openstack Identity Service",
"endpoints": [
{
"interface": "admin",
"url": "http://192.0.2.10:35357";
},
{
"interface": "internal",
"url": "http://192.0.2.10:5000";
},
{
"interface": "public",
"url": "http://192.0.2.10:5000";
}
],
"name": "keystone",
"type": "identity"
},
"module_stderr": "Traceback (most recent call last):\n File
\"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\",
line 114, in <module>\n _ansiballz_main()\n File
\"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\",
line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path,
ANSIBALLZ_PARAMS)\n File
\"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\",
line 49, in invoke_module\n imp.load_module('__main__', mod, module,
MOD_DESC)\n File
\"/tmp/ansible_os_keystone_service_payload_RpqMjI/__main__.py\", line 194, in
<module>\n File
\"/tmp/ansible_os_keystone_service_payload_RpqMjI/__main__.py\", line 153, in
main\n File
\"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\", line
510, in search_services\n services = self.list_services()\n File
\"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\", line
485, in list_services\n if self._is_client_version('identity', 2):\n File
\"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/openstackcloud.py\",
line 459, in _is_client_version\n client = getattr(self, client_name)\n
File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\",
line 32, in _identity_client\n 'identity', min_version=2,
max_version='3.latest')\n File
\"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/openstackcloud.py\",
line 422, in _get_versioned_client\n
endpoint_override=self.config.get_endpoint(service_type))\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/adapter.py\", line
345, in get_api_major_version\n return
self.session.get_api_major_version(auth or self.auth, **kwargs)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\", line
1233, in get_api_major_version\n return auth.get_api_major_version(self,
**kwargs)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\",
line 500, in get_api_major_version\n data =
get_endpoint_data(discover_versions=discover_versions)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\",
line 271, in get_endpoint_data\n service_catalog =
self.get_access(session).service_catalog\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\",
line 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py\",
line 208, in get_auth_ref\n return self._plugin.get_auth_ref(session,
**kwargs)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py\",
line 184, in get_auth_ref\n authenticated=False, log=False, **rkwargs)\n
File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\",
line 1106, in post\n return self.request(url, 'POST', **kwargs)\n File
\"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\", line
943, in request\n raise exceptions.from_response(resp, method,
url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made
requires authentication. (HTTP 401) (Request-ID:
req-2eed28d1-00fd-4878-8acc-9d5eee838a93)\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
I have a bad feeling this client is unable to handle the new stricter
situation.
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1850656
Title:
Deploy will fail if keystone.conf has
'[oslo_policy]/enforce_scope=true'
Status in OpenStack Identity (keystone):
New
Status in kolla-ansible:
In Progress
Status in kolla-ansible train series:
In Progress
Bug description:
In current Kolla master (train) keystone permission system has not
been adapted to the new scope thinking.
$ cat /etc/kolla/config/keystone/keystone.conf
[oslo_policy]
enforce_scope = True
$ kolla-ansible -i multinode deploy
...
TASK [service-ks-register : keystone | Creating services]
************************************************************************************
...
failed: [control1.example.com -> control1.example.com]
(item={u'service_type': u'identity', u'name': u'keystone'}) => {"action":
"os_keystone_service", "ansible_loop_var": "item", "attempts": 5, "changed":
false, "item": {"description": "Openstack Identity Service", "endpoints":
[{"interface": "admin", "url": "http://vip.example.com:35357"}, {"interface":
"internal", "url": "http://vip.example.com:5000"}, {"interface": "public",
"url": "https://openstack.example.com:5000"}], "name": "keystone", "type":
"identity"}, "msg": "Failed to list services: Client Error for url:
http://vip.example.com:35357/v3/services, You are not authorized to perform the
requested action: identity:list_services."}
== https://docs.openstack.org/releasenotes/keystone/en_GB/train.html ==
This release leverages oslo.policy’s policy-in-code feature to modify the
default check strings and scope types for nearly all of keystone’s API
policies. These changes make the policies more precise than they were before,
using the reader, member, and admin roles where previously only the admin role
and a catch-all rule was available. The changes also take advantage of system,
domain, and project scope, allowing you to create role assignments for your
users that are appropriate to the actions they need to perform. Eventually this
will allow you to set [oslo_policy]/enforce_scope=true in your keystone
configuration, which simplifies access control management by ensuring that
oslo.policy checks both the role and the scope on API requests.
[bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file
has been removed. If you were using this policy file to supply
overrides in your deployment, you should consider using the defaults
in code and setting keystone.conf [oslo_policy] enforce_scope=True.
The new policy defaults are more flexible, they’re tested extensively,
and they solve all the problems the policy.v3cloudsample.json file was
trying to solve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1850656/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
