Trying to get heat with keystone API v3 and trusts to work

asked 2016-11-30 06:23:18 -0500

DanielK gravatar image

Hello

As the title says I am trying to get this to work but I am unable to. I have migrated my test setup to keystone API V3 and all services are OK, but the heat service doesn't work as intended.

I have set my stack_user_domain_id and stack_domain_admin. I also have deferred_auth_method = trusts trusts_delegated_roles = heat_stack_owner set. I have a separate domain called heat in which my stack_domain_admin has the admin and heat-stack_owner role

openstack user list --domain heat

+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| 415db3f35e8445b085676c6eb73e94eb | stack_admin |
+----------------------------------+-------------+

openstack role list --domain heat

+----------------------------------+------------------+
| ID                               | Name             |
+----------------------------------+------------------+
| 1effcb0a91d0408a9b71098ac3bb98c7 | project_admin    |
| 3424d73431f84d6090a934854c596e96 | heat_stack_user  |
| 80db8ad3599d4603b16bd80983b90cda | heat_stack_owner |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_         |
| a7599f32de514ddab3d93c8380e4aec6 | admin            |
| e1143e6bb70344d68c115d4652462014 | image_admin      |
+----------------------------------+------------------+

openstack role assignment list -c Role -c User --domain heat

+----------------------------------+----------------------------------+
| Role                             | User                             |
+----------------------------------+----------------------------------+
| 80db8ad3599d4603b16bd80983b90cda | 415db3f35e8445b085676c6eb73e94eb |
| a7599f32de514ddab3d93c8380e4aec6 | 415db3f35e8445b085676c6eb73e94eb |
| a7599f32de514ddab3d93c8380e4aec6 | admin                            |
+----------------------------------+----------------------------------+

My own user is also heat-stack_owner in the project I am member of in my default domain.

However, if I try to deploy a heat stack I am getting an error ERROR: Remote error: BadRequest Expecting to find id or name in user (full debug output here: http://pastebin.com/N0R0c29i) This looks to me like the trusts are not working. Especially since I can deploy this stack if I switch to password as deferred_auth_method.

Can anyone shed some light on what I might be missing there?

edit retag flag offensive close merge delete

Comments

Can you check the keystone log to see if it gives any more detail?

zaneb gravatar imagezaneb ( 2016-12-02 07:47:05 -0500 )edit

I don't see much else than during the debug output of the deployment itself, except this message which adds further information:

016-12-02 14:31:11.333 8354 DEBUG keystone.common.manager [-] Failed to load 'keystone.trust.backends.sql.Trust' using stevedore: No 'keystone.trust' driver found

DanielK gravatar imageDanielK ( 2016-12-02 08:40:55 -0500 )edit

Is there some package that I am missing which contains that driver?

BTW, this is openstack liberty and keystone 1:8.1.2-1.el7 on Centos 7

DanielK gravatar imageDanielK ( 2016-12-02 08:42:20 -0500 )edit

That sounds like the source of the problem. The cause is a mystery to me though. Nothing is split into subpackages: https://review.rdoproject.org/r/gitwe...

zaneb gravatar imagezaneb ( 2016-12-02 09:28:40 -0500 )edit