Public bug reported: When using Keystone v3 with multi-domain-driver in Juno on Centos, I cann't deploy heat stack, because the heat user has no access to default domain wich runs on sql
default -> SQL -> service user and heat dom -> LDAP -> AD user ---- /var/log/heat/heat.log ---- 2015-05-27 11:38:42.502 13632 DEBUG heat.engine.stack_lock [-] Engine 651cdcf1-49cb-4ca4-9436-35ff538666ed acquired lock on stack 22a20e5a-901b-436c-9c8c-e603bc79015b acquire /usr/lib/python2.7/site-packages/heat/engine/stack_lock.py:72 2015-05-27 11:38:42.503 13632 DEBUG keystoneclient.auth.identity.v3 [-] Making authentication request to http://172.16.89.1:5000/v3/auth/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3.py:117 2015-05-27 11:38:42.504 13632 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 172.16.89.1 2015-05-27 11:38:42.579 13632 DEBUG urllib3.connectionpool [-] "POST /v3/auth/tokens HTTP/1.1" 401 181 _make_request /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:357 2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.session [-] Request returned failure status: 401 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345 2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.v3.client [-] Authorization failed. get_raw_token_from_identity_service /usr/lib/python2.7/site-packages/keystoneclient/v3/client.py:267 ---- /var/log/keystone/keystone.log ---- 2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.265 8847 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$ 2015-05-27 11:38:42.266 8847 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:55 2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.270 8847 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u$ 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155 2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.274 8847 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "GET /v3/auth/tokens HTTP/1.1" 200 7887 0.012976 2015-05-27 11:38:42.343 8849 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270 2015-05-27 11:38:42.345 8849 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.441 8849 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 201 7902 0.097828 2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.450 8852 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$ 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_trust(trust={u'impersonation': True, u'project_id': u'b00f98aa1d89401a86bb30baf9bea664', u'trustor_user_id': u'c287350c73ef4410ad17326eee$ 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60 2015-05-27 11:38:42.453 8852 DEBUG keystone.policy.backends.rules [-] enforce identity:create_trust: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'a$ 2015-05-27 11:38:42.453 8852 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155 2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.480 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/OS-TRUST/trusts HTTP/1.1" 201 845 0.034633 2015-05-27 11:38:42.506 8852 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270 2015-05-27 11:38:42.508 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.576 8852 DEBUG keystone.token.providers.common [-] User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default _populate_roles /usr/lib/python2.7/site-packages/keystone/token/providers/common.py:309 2015-05-27 11:38:42.577 8852 WARNING keystone.common.wsgi [-] Authorization failed. User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default (Disable debug mode to suppress these details.) (Disable debug mode to suppress the$ 2015-05-27 11:38:42.579 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 401 378 0.072790 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1459179 Title: User heat has no access to domain default when using Keystone v3 with multi-domain-driver Status in OpenStack Identity (Keystone): New Bug description: When using Keystone v3 with multi-domain-driver in Juno on Centos, I cann't deploy heat stack, because the heat user has no access to default domain wich runs on sql default -> SQL -> service user and heat dom -> LDAP -> AD user ---- /var/log/heat/heat.log ---- 2015-05-27 11:38:42.502 13632 DEBUG heat.engine.stack_lock [-] Engine 651cdcf1-49cb-4ca4-9436-35ff538666ed acquired lock on stack 22a20e5a-901b-436c-9c8c-e603bc79015b acquire /usr/lib/python2.7/site-packages/heat/engine/stack_lock.py:72 2015-05-27 11:38:42.503 13632 DEBUG keystoneclient.auth.identity.v3 [-] Making authentication request to http://172.16.89.1:5000/v3/auth/tokens get_auth_ref /usr/lib/python2.7/site-packages/keystoneclient/auth/identity/v3.py:117 2015-05-27 11:38:42.504 13632 INFO urllib3.connectionpool [-] Starting new HTTP connection (1): 172.16.89.1 2015-05-27 11:38:42.579 13632 DEBUG urllib3.connectionpool [-] "POST /v3/auth/tokens HTTP/1.1" 401 181 _make_request /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:357 2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.session [-] Request returned failure status: 401 request /usr/lib/python2.7/site-packages/keystoneclient/session.py:345 2015-05-27 11:38:42.580 13632 DEBUG keystoneclient.v3.client [-] Authorization failed. get_raw_token_from_identity_service /usr/lib/python2.7/site-packages/keystoneclient/v3/client.py:267 ---- /var/log/keystone/keystone.log ---- 2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.265 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.265 8847 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$ 2015-05-27 11:38:42.266 8847 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:validate_token() _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:55 2015-05-27 11:38:42.267 8847 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.270 8847 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'86396c4533a044a1ab106ccaeb7e883d', 'roles': [u'heat_stack_owner', u$ 2015-05-27 11:38:42.270 8847 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155 2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.273 8847 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.274 8847 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "GET /v3/auth/tokens HTTP/1.1" 200 7887 0.012976 2015-05-27 11:38:42.343 8849 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270 2015-05-27 11:38:42.345 8849 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.441 8849 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 201 7902 0.097828 2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.450 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.450 8852 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'admin'], 'trustee_$ 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_trust(trust={u'impersonation': True, u'project_id': u'b00f98aa1d89401a86bb30baf9bea664', u'trustor_user_id': u'c287350c73ef4410ad17326eee$ 2015-05-27 11:38:42.452 8852 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /usr/lib/python2.7/site-packages/keystone/common/controller.py:60 2015-05-27 11:38:42.453 8852 DEBUG keystone.policy.backends.rules [-] enforce identity:create_trust: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'c287350c73ef4410ad17326eee940c5f', 'roles': [u'heat_stack_owner', u'a$ 2015-05-27 11:38:42.453 8852 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /usr/lib/python2.7/site-packages/keystone/common/controller.py:155 2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock acquired for: os-revoke-events acquire /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:380 2015-05-27 11:38:42.457 8852 DEBUG keystone.common.kvs.core [-] KVS lock released for: os-revoke-events release /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:399 2015-05-27 11:38:42.480 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/OS-TRUST/trusts HTTP/1.1" 201 845 0.034633 2015-05-27 11:38:42.506 8852 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:270 2015-05-27 11:38:42.508 8852 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /usr/lib/python2.7/site-packages/keystone/common/wsgi.py:191 2015-05-27 11:38:42.576 8852 DEBUG keystone.token.providers.common [-] User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default _populate_roles /usr/lib/python2.7/site-packages/keystone/token/providers/common.py:309 2015-05-27 11:38:42.577 8852 WARNING keystone.common.wsgi [-] Authorization failed. User 86396c4533a044a1ab106ccaeb7e883d has no access to domain default (Disable debug mode to suppress these details.) (Disable debug mode to suppress the$ 2015-05-27 11:38:42.579 8852 INFO eventlet.wsgi.server [-] 172.16.89.1 - - [27/May/2015 11:38:42] "POST /v3/auth/tokens HTTP/1.1" 401 378 0.072790 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1459179/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
