OpenStack multi-domain support


#1

Hello,

Can anyone comment on if ManageIQ supports OpenStack environments with multi-domains?

From what I can tell, the domain section is configurable when setting up the Cloud Provider, however authentication always fails.

Now if I select the v2 option, authenticate passes however I don’t get any information on instances, projects / tenants, etc. I only end up with images, flavors and such.

In my OpenStack Liberty environment I have 4 domains, the default, cloud_admins, cloud_dev and cloud_qa.

The evm.log:
[----] I, [2016-06-22T17:27:19.158418 #12112:7f47ac] INFO – : MIQ(ManageIQ::Providers::Openstack::CloudManager#with_provider_connection) Connecting through ManageIQ::Providers::Openstack::CloudManager: [DEV QA OpenStack]
[----] E, [2016-06-22T17:27:19.320510 #12112:7f47ac] ERROR – : excon.error #<Excon::Errors::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.response
:body => “{“error”: {“message”: “The request you have made requires authentication.”, “code”: 401, “title”: “Unauthorized”}}”
:cookies => [
]
:headers => {
“Content-Length” => "114"
“Content-Type” => “application/json”
“Date” => “Wed, 22 Jun 2016 21:27:19 GMT”
“Server” => “Apache”
“Vary” => “X-Auth-Token”
“WWW-Authenticate” => "Keystone uri=“https://cloudqa.ppc.mydns.com:5000"”
“x-openstack-request-id” => “req-68211259-2eb9-4f90-94ae-18c51cd82206”
}
:host => “cloudqa.ppc.mydns.com
:local_address => “10.96.206.214”
:local_port => 49113
:path => “/v3/auth/tokens”
:port => 5000
:reason_phrase => “Unauthorized”
:remote_ip => “10.96.1.21”
:status => 401
:status_line => “HTTP/1.1 401 Unauthorized\r\n”

[----] E, [2016-06-22T17:27:19.320763 #12112:7f47ac] ERROR – : MIQ(ManageIQ::Providers::Openstack::CloudManager#verify_api_credentials) Error Class=Excon::Errors::Unauthorized, Message=Expected([201]) <=> Actual(401 Unauthorized)
excon.error.response
:body => “{“error”: {“message”: “The request you have made requires authentication.”, “code”: 401, “title”: “Unauthorized”}}”
:cookies => [
]
:headers => {
“Content-Length” => "114"
“Content-Type” => “application/json”
“Date” => “Wed, 22 Jun 2016 21:27:19 GMT”
“Server” => “Apache”
“Vary” => “X-Auth-Token”
“WWW-Authenticate” => "Keystone uri=“https://cloudqa.ppc.mydns.com:5000"”
“x-openstack-request-id” => “req-68211259-2eb9-4f90-94ae-18c51cd82206”
}
:host => “cloudqa.ppc.mydns.com
:local_address => “10.96.206.214”
:local_port => 49113
:path => “/v3/auth/tokens”
:port => 5000
:reason_phrase => “Unauthorized”
:remote_ip => “10.96.1.21”
:status => 401
:status_line => “HTTP/1.1 401 Unauthorized\r\n”

[----] W, [2016-06-22T17:27:19.320852 #12112:7f47ac] WARN – : MIQ(ManageIQ::Providers::Openstack::CloudManager#authentication_check_no_validation) type: [“default”] for [1] [DEV QA OpenStack] Validation failed: invalid, Login failed due to a bad username or password.
[----] E, [2016-06-22T17:27:19.321036 #12112:7f47ac] ERROR – : MIQ(ems_cloud_controller-update): Credential validation was not successful: Login failed due to a bad username or password.
[----] I, [2016-06-22T17:27:20.369397 #11906:445980] INFO – : MIQ(MiqServer#heartbeat) Heartbeat [2016-06-22 21:27:20 UTC]…
[----] I, [2016-06-22T17:27:20.381208 #11906:445980] INFO – : MIQ(MiqServer#heartbeat) Heartbeat [2016-06-22 21:27:20 UTC]…Complete


#2

Multi-domain has still some issues in fog-openstack library. Right now, OpenStack needs to be set in a certain way for fog-openstack being able to talk to it. If you will follow https://bugzilla.redhat.com/show_bug.cgi?id=1228542, you should be able to make it work.


#3

Hi @Ladas,

are those issues still applicable for connection to OpenStack v3 API? I have similar problems (authentication check - … bad username or password) and I’m not sure what is wrong.


#4

@cankarm the mentioned BZs were fixed, so it should be working now. Can you paste evm.log, fog.log and production.log(development.log) around the time you try to authenticate?

Also are you able to authenticate using the Keystone v3 using the OpenStack Client?


#5

Hi @Ladas

thanks for a prompt response, here is the part from fog.log the same is also in evm.log:

[----] E, [2016-11-02T13:02:16.399404 #5047:2ac18c393cf8] ERROR -- : excon.error     #<Excon::Error::Unauthorized: Expected([201]) <=> Actual(401 Unauthorized)
excon.error.response
  :body          => "{\"error\": {\"message\": \"The request you have made requires authentication.\", \"code\": 401, \"title\": \"Unauthorized\"}}"
  :cookies       => [
  ]
  :headers       => {
"Content-Length"         => "114"
"Content-Type"           => "application/json"
"Date"                   => "Wed, 02 Nov 2016 12:01:40 GMT"
"Server"                 => "Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5"
"Vary"                   => "X-Auth-Token"
"WWW-Authenticate"       => "Keystone uri=\"http://x.x.x.x:5000\""
"x-openstack-request-id" => "req-xxxxxxxxxxx"
  }
  :host          => "x.x.x.x"
  :local_address => "x.x.x.x"
  :local_port    => 41042
  :path          => "/v3/auth/tokens"
  :port          => 5000
  :reason_phrase => "Unauthorized"
  :remote_ip     => "x.x.x.x"
  :status        => 401
  :status_line   => "HTTP/1.1 401 Unauthorized\r\n"

With the same credentials from the MiQ machine, I can successfully retrieve auth token with the following curl command:

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    }
  }
}' \
  http://localhost:5000/v3/auth/tokens ; echo

Which part of the development.log do you prefer? It’s a few gigs of text… well not any more… :wink:


#6

btw, the validation of connection to RabbitMQ is successful


#7

I solved the problem - wrong Domain ID and mapping to the users.


#8

Hello @cankarm, I am running on the same issue that you reported. Could you give me an example fo your settings to connect with the API V3.

With APIV2 all work fine

This the output I get when run the command that you showed above on my controller.

-{

"token" : -{
    "issued_at" : 2017-01-25T20:17:50.000000Z,
    "audit_ids" : -[
        t-83vdwkSMCgwf8TmkPeaA
    ],
    "methods" : -[
        password
    ],
    "expires_at" : 2017-01-25T21:17:50.000000Z,
    "user" : -{
        "domain" : -{
            "id" : default,
            "name" : Default
        },
        "id" : ebe85193b24346c692378d35912fa369,
        "name" : admin
    }
}

}

Keystone Log

WARNING keystone.common.wsgi [req-ea2917ed-19b8-4bef-b2d5-7cf43bf5f238 - - - - -] Authorization failed. The request you have made requires authentication. from ManageIQ

I hope you can help me.

Thank you for your support!


#9

Hi @Eddy_Castillon,

I’m not sure what is your problem, but I resolved my issue, when I put the whole Keystone V3 Domain ID, not just name (see example below).

And user must be an Admin of the domain!
I hope this helps…


#10

Hi @Eddy_Castillon, how did you get the whole Keystone v3 domain?

As I can see the id for my default domain is default only.

[root@localhost ~]# openstack domain list
±---------------------------------±--------±--------±-------------------------+
| ID | Name | Enabled | Description |
±---------------------------------±--------±--------±-------------------------+
| 237f9650668143fd96bf70c6816c30ce | heat | True | Stack projects and users |
| default | Default | True | The default domain |
±---------------------------------±--------±--------±-------------------------+

Can you also help with the bottom part of the configuration. I tried with port 5000 (public endpoint) as well as 35357 (admin end point) but getting the same error.

2017-06-06 13:51:17.322 29765 INFO keystone.common.wsgi [req-64fc7bbf-8730-4968-89ad-ae35d4d5cbe2 - - - - -] POST http://172.16.110.254:5000/v3/auth/tokens
2017-06-06 13:51:17.471 29765 WARNING keystone.common.wsgi [req-64fc7bbf-8730-4968-89ad-ae35d4d5cbe2 - - - - -] Authorization failed. The request you have made requires authentication. from 172.16.110.64

My AMQP auth was successful.


#11

Hi @Ashish_Mishra,

I hope you have fixed your issue and you are enjoying ManageIQ. My apologies for my delayed answer.