[Openstack-operators] [puppet] WARNING - breaking backwards compatibility in puppet-keystone

Rich Megginson rmeggins at redhat.com
Wed Oct 7 17:28:35 UTC 2015

tl;dr You must specify a domain when using domain scoped resources.

If you are using domains with puppet-keystone, there is a proposed patch 
that will break backwards compatibility.

https://review.openstack.org/#/c/226624/ Replace indirection calls

"Indirection calls are replaced with #fetch_project and #fetch_user methods
using python-openstackclient (OSC).

Also removes the assumption that if a resource is unique within a domain 
then the domain doesn't have to be specified."

It is the last part which is causing backwards compatibility to be 
broken.  This patch requires that a domain scoped resource _must_ be 
qualified with the domain name if _not_ in the 'Default' domain.  
Previously, you did not have to qualify a resource name with the domain 
if the name was unique in _all_ domains.  The problem was this code 
relied heavily on puppet indirection, and was complex and difficult to 
maintain.  We removed it in favor of a very simple implementation: if 
the name is not qualified with a domain, it must be in the 'Default' domain.

Here is an example from puppet-heat - the 'heat_admin' user has been 
created in the 'heat_stack' domain previously.

     ensure_resource('keystone_user_role', 'heat_admin@::heat_stack", {
       'roles' => ['admin'],

This means "assign the user 'heat_admin' in the unspecified domain to 
have the domain scoped role 'admin' in the 'heat_stack' domain". It is a 
domain scoped role, not a project scoped role, because in 
"@::heat_stack" there is no project, only a domain. Note that the domain 
for the 'heat_admin' user is unspecified. In order to specify the domain 
you must use 'heat_admin::heat_stack@::heat_stack'. This is the 
recommended fix - to fully qualify the user + domain.

The breakage manifests itself like this, from the logs::

     2015-10-02 06:07:39.574 | Debug: Executing '/usr/bin/openstack user 
show --format shell heat_admin --domain Default'
     2015-10-02 06:07:40.505 | Error: 
Could not evaluate: No user heat_admin with domain  found

This is from the keystone_user_role code. Since the role user was 
specified as 'heat_admin' with no domain, the keystone_user_role code 
looks for 'heat_admin' in the 'Default' domain and can't find it, and 
raises an error.

Right now, the only way to specify the domain is by adding 
'::domain_name' to the user name, as 
'heat_admin::heat_stack@::heat_stack'.  Sofer is working on a way to add 
the domain name as a parameter of keystone_user_role - 
https://review.openstack.org/226919 - so in the near future you will be 
able to specify the resource like this:

     ensure_resource('keystone_user_role', 'heat_admin@::heat_stack", {
       'roles' => ['admin'],
       'user_domain_name' => 'heat_stack',

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151007/cbebc995/attachment.html>

More information about the OpenStack-operators mailing list