puppet-nova

Should not configure a service user in all cases where a service is configured

Bug #1360232 reported by Risto Laurikainen
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-ceilometer
Fix Released
Undecided
Mike Dorman
puppet-ceilometer 5.0.0 "5.0.0"
puppet-cinder
Fix Released
Undecided
Risto Laurikainen
puppet-cinder 5.0.0 "5.0.0"
puppet-glance
Fix Released
Undecided
Risto Laurikainen
puppet-glance 5.0.0 "5.0.0"
puppet-heat
Fix Released
Undecided
Mike Dorman
puppet-heat 5.0.0 "5.0.0"
puppet-keystone
Fix Released
Undecided
Mike Dorman
puppet-keystone 5.0.0 "5.0.0"
puppet-neutron
Fix Released
Undecided
Risto Laurikainen
puppet-neutron 5.0.0 "5.0.0"
puppet-nova
Fix Released
Undecided
Risto Laurikainen
puppet-nova 5.0.0 "5.0.0"

Bug Description

Currently, creating the service in Keystone is tied to creating the service user. If Keystone is using a source for identity data that is read only (e.g. a read only LDAP backend), this will result in either not being able to configure the service or running into errors when calling keystone::auth.

This can be fixed without breaking backwards compatibility by making user configuration optional.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/116262

Changed in puppet-nova:
assignee: nobody → Risto Laurikainen (risto-laurikainen)
status: New → In Progress
Changed in puppet-glance:
assignee: nobody → Risto Laurikainen (risto-laurikainen)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/116263

Changed in puppet-cinder:
assignee: nobody → Risto Laurikainen (risto-laurikainen)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/116264

Changed in puppet-neutron:
assignee: nobody → Risto Laurikainen (risto-laurikainen)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/116265

Mike Dorman (mdorman-m)
Changed in puppet-heat:
status: New → In Progress
assignee: nobody → Mike Dorman (mdorman-m)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/120466

Mike Dorman (mdorman-m)
Changed in puppet-ceilometer:
status: New → In Progress
assignee: nobody → Mike Dorman (mdorman-m)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/120477

Revision history for this message
Mike Dorman (mdorman-m) wrote :

I noticed this is being implemented such that the keystone_user_role management is triggered by $configure_user => true, too. However, there are cases where you would want to not manage the user, but would still want to have the role assignment done. (e.g. user/auth backend is read only LDAP, but role assignment is done in Keystone DB.)

Thoughts on implementing a $configure_user_role parameter as well? Or finish this bug out as is, and open a new bug for a parameter for managing the role?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/120525

Changed in puppet-keystone:
assignee: nobody → Mike Dorman (mdorman-m)
status: New → In Progress
Revision history for this message
Risto Laurikainen (risto-laurikainen) wrote :

Ah, my use case has both users and roles in LDAP so I missed that. I wonder how common it is to have roles in Keystone DB but users in LDAP?

Finishing this as is would provide useful functionality, but adding $configure_user_role later on would change the interface slightly so that someone with my use case would need to explicitly set $configure_user_role to false. It would change the meaning of $configure_user. I suppose I can add $configure_user_role to the current change so as to not introduce this inconsistency.

Revision history for this message
Mike Dorman (mdorman-m) wrote :

Yeah, I agree with making the change now, for the reasons you cited. I'll update the reviews I did, too, in the next day or two.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-glance (master)

Reviewed: https://review.openstack.org/116263
Committed: https://git.openstack.org/cgit/stackforge/puppet-glance/commit/?id=246842f13cd06aeb0ce07959ff892f21749a340f
Submitter: Jenkins
Branch: master

commit 246842f13cd06aeb0ce07959ff892f21749a340f
Author: Risto Laurikainen <email address hidden>
Date: Fri Aug 22 15:38:36 2014 +0300

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added parameters configure_user and configure_user_role
    (default to true).

    Change-Id: If9bb802ff2bb0b3ece55f36df773059ba9c7e9de
    Closes-Bug: 1360232

Changed in puppet-glance:
status: In Progress → Fix Committed
Changed in puppet-cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-cinder (master)

Reviewed: https://review.openstack.org/116264
Committed: https://git.openstack.org/cgit/stackforge/puppet-cinder/commit/?id=da2f5a125cae6fbed0384d9316434f953eb9ea7b
Submitter: Jenkins
Branch: master

commit da2f5a125cae6fbed0384d9316434f953eb9ea7b
Author: Risto Laurikainen <email address hidden>
Date: Fri Aug 22 15:37:23 2014 +0300

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added parameters configure_user and configure_user_role
    (default to true).

    Change-Id: I021976f1eafa881755c0abbe1f6ba1b546dee111
    Closes-Bug: 1360232

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/120525
Committed: https://git.openstack.org/cgit/stackforge/puppet-keystone/commit/?id=55c122caa2b57b20575f68bfbad95bd8ae1035ce
Submitter: Jenkins
Branch: master

commit 55c122caa2b57b20575f68bfbad95bd8ae1035ce
Author: Mike Dorman <email address hidden>
Date: Wed Sep 10 13:43:39 2014 -0500

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added a parameter configure_user (defaults to true).
    Closes-Bug: 1360232

    Change-Id: I8f6d6f3903b9140bf22c676b3661c2dda5766db6

Changed in puppet-keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ceilometer (master)

Reviewed: https://review.openstack.org/120477
Committed: https://git.openstack.org/cgit/stackforge/puppet-ceilometer/commit/?id=7719ceaff07b933006b34aa04e568b4db206bea1
Submitter: Jenkins
Branch: master

commit 7719ceaff07b933006b34aa04e568b4db206bea1
Author: Mike Dorman <email address hidden>
Date: Wed Sep 10 11:39:04 2014 -0500

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added a parameter configure_user (defaults to true).
    Closes-Bug: 1360232

    Change-Id: I541224b9bf431da957b9de31909e0aad5c9be187

Changed in puppet-ceilometer:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-heat (master)

Reviewed: https://review.openstack.org/120466
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=c1102fd5e34af55d9cac01bae6b021ff0cceba04
Submitter: Jenkins
Branch: master

commit c1102fd5e34af55d9cac01bae6b021ff0cceba04
Author: Mike Dorman <email address hidden>
Date: Wed Sep 10 11:06:43 2014 -0500

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added a parameter configure_user (defaults to true).
    Closes-Bug: 1360232

    Change-Id: Ia17fa32744bd951eac3307a858917ac1ba3be37c

Changed in puppet-heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (master)

Reviewed: https://review.openstack.org/116265
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=c0f463c85f0a47634f16b7abe4690e02451c0f1f
Submitter: Jenkins
Branch: master

commit c0f463c85f0a47634f16b7abe4690e02451c0f1f
Author: Risto Laurikainen <email address hidden>
Date: Fri Aug 22 15:37:09 2014 +0300

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added parameters configure_user and configure_user_role
    (default to true).

    Change-Id: I6b0b7e2554e982550d71d8427ce2ea94f04f55e8
    Closes-Bug: 1360232

Changed in puppet-neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (master)

Reviewed: https://review.openstack.org/116262
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=45788081c9b26dda469d110db5605f905a6c9b3c
Submitter: Jenkins
Branch: master

commit 45788081c9b26dda469d110db5605f905a6c9b3c
Author: Risto Laurikainen <email address hidden>
Date: Fri Aug 22 15:32:29 2014 +0300

    Make user creation optional when creating service.

    In some cases it is useful to be able to just configure
    the service in Keystone and not the service user. This
    is the case when e.g. a read only LDAP backend is used.
    Added parameters configure_user and configure_user_role
    (default to true).

    Change-Id: If3d53c2c9070691b4731142f512b1f4bb754be00
    Closes-Bug: 1360232

Changed in puppet-nova:
status: In Progress → Fix Committed
Matt Fischer (mfisch)
Changed in puppet-heat:
milestone: none → 4.0.0
status: Fix Committed → Fix Released
Gael Chamoulaud (gael-chamoulaud)
no longer affects: puppet-ironic
Mathieu Gagné (mgagne)
Changed in puppet-glance:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-cinder:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-keystone:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-ceilometer:
milestone: none → 5.0.0
Changed in puppet-heat:
milestone: 4.0.0 → 5.0.0
Changed in puppet-neutron:
milestone: none → 5.0.0
Changed in puppet-nova:
milestone: none → 5.0.0
Changed in puppet-neutron:
status: Fix Committed → Fix Released
Changed in puppet-nova:
status: Fix Committed → Fix Released
Changed in puppet-ceilometer:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.