engine should not be including keystone stuff

You can set configure_delegated_roles to false and declare the keystone_role provider in your own manifest where keystone is running.

That will work but I think that this design violates how the rest of the modules seem to work, with all the keystone stuff isolated. Can we move this block into keystone/auth or similar?

I met the same problem while running keystone on separate host. I have moved relevant code sections around with the following patch and it worked well for me.

Thats what I was thinking of doing for a fix, can you propose that upstream Vladislav?

Yes, I will do it

@Vlad, did you submit a review? I can't find one.

Fix proposed to branch: master
Review: https://review.openstack.org/140854

@matt, you're right. Your patch makes sense. Reviews inline.

Reviewed: https://review.openstack.org/140854
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=74e874365933b3d7a07d6413762597e78efaaaa8
Submitter: Jenkins
Branch: master

commit 74e874365933b3d7a07d6413762597e78efaaaa8
Author: Matt Fischer <email address hidden>
Date: Tue Dec 9 21:54:28 2014 -0700

    Move keystone role creation to keystone area

    When the engine code does things with Keystone roles/etc it breaks when
    run on nodes that are not running Keystone. Some environments have
    Keystone in a separate node thereby causing issues. This moves it into
    the Keystone auth class to match the functaionality of other puppet
    modules and avoid this issue. The older parameters are deprecated but
    will still work.

    Based on the original patch by Vladislav Belogrudov.

    Change-Id: I3d6545cf1e5338b1098ee52daedcc17dc9ad990b
    Closes-Bug: #1393293

Now it breaks when both keystone and heat are run on the same host, as heat::engine and heat::keystone auth now set DEFAULT/trusts_delegated_roles resulting in Puppet run failing:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Heat_config[DEFAULT/trusts_delegated_roles] is already declared in file /etc/puppet/environments/production/modules/heat/manifests/engine.pp:117; cannot redeclare at /etc/puppet/environments/production/modules/heat/manifests/keystone/auth.pp:170 on node controller1

Do you have configure_delegated_roles on for both files?

Here is my manifest, tried settings trusts_delegated_roles in both heat::engine as heat::keystone::auth. But both options fail.

  class { '::heat::engine':
    auth_encryption_key => $heat_encryption_key,
    configure_delegated_roles => false,
  }

  class { '::heat::keystone::auth':
    password => $heat_keystone_pass,
    public_address => $heat_endpoint,
    admin_address => $heat_endpoint,
    internal_address => $heat_endpoint,
    region => $region,
    configure_delegated_roles => true,
    trusts_delegated_roles => ['_member_'],
    configure_endpoint => false,
  }

This is how I use it, with hiera:

heat::engine::trusts_delegated_roles: ~
heat::engine::configure_delegated_roles: false
heat::keystone::auth::configure_delegated_roles: true

That first line shouldn't be needed though since the role is only enabled when $trusts_delegated_roles is enabled

Okay, trusts_delegated_roles is not really the issue. It's that both classes set DEFAULT/trusts_delegated_roles in heat.conf, resulting in the before mentioned error. I assumed that that was toggled with the configure_delegated_roles parameter, but that only toggles the keystone_role.

Sorry, I meant configure_delegated_roles.

So that's why my hiera data works. I clear out the engine setting.