settingsLogin | Registersettings

[Openstack-operators] _member_ role clarification

0 votes

Hi,

Apologies if this questions has been answered already, or is in some doc
somewhere. Please point me in the right direction of so.

I'm upgrading openstack from Juno to Mitaka, in steps. We role our own
openstack using puppet, and have been using identity v3 in Juno with
domains via an ldap backend.

The upgrade process is largely created, tested and working, but not rolled
out across our production sites yet.

However, I notice when I create a new cloud using openstack Mitaka from
scratch, not upgraded from Juno, the member role is no longer created
automatically when users are assigned to projects [ tenants in old money
]. I'm pretty sure this was happening in Juno, and the Juno docs seem to
confirm it.
I believe horizon at least was using this role to allow users access.

I've noticed this because we have scripts to automate some user/group
stuff, and the have some usage of the member role hard coded atm. They
are failing, as the role doesn't exist on non-upgraded clouds :)

So I would like some advice/clarification on what the situation is.

What else, if anything, was the member role used for? heat maybe?

Is the member role no longer required at all, not even by horizon?

If it's no longer required, is it safe or desirable to remove the member
role from upgraded clouds?

Cheers,
Just

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
asked Nov 9, 2016 in openstack-operators by Justin_Cattle (620 points)   2 2

3 Responses

0 votes

Hi Justin,

On 9 November 2016 at 11:55, Justin Cattle j@ocado.com wrote:
Hi,

Apologies if this questions has been answered already, or is in some doc
somewhere. Please point me in the right direction of so.

I'm upgrading openstack from Juno to Mitaka, in steps. We role our own
openstack using puppet, and have been using identity v3 in Juno with domains
via an ldap backend.

The upgrade process is largely created, tested and working, but not rolled
out across our production sites yet.

However, I notice when I create a new cloud using openstack Mitaka from
scratch, not upgraded from Juno, the member role is no longer created
automatically when users are assigned to projects [ tenants in old money ].
I'm pretty sure this was happening in Juno, and the Juno docs seem to
confirm it.
I believe horizon at least was using this role to allow users access.

I've noticed this because we have scripts to automate some user/group stuff,
and the have some usage of the member role hard coded atm. They are
failing, as the role doesn't exist on non-upgraded clouds :)

So I would like some advice/clarification on what the situation is.

What else, if anything, was the member role used for? heat maybe?

Is the member role no longer required at all, not even by horizon?

If it's no longer required, is it safe or desirable to remove the member
role from upgraded clouds?

I can't answer all of your questions, but you might find bug #1635306
[1] interesting. It has some additional background information and the
role still seems needed at least by Horizon (unless the default role
name is changed manually in the settings). The related patch merged in
Ocata and Newton, but from your comments it sounds like perhaps a
backport is needed for Mitaka as well?

Regards,

Julie

[1] https://bugs.launchpad.net/tripleo/+bug/1635306


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 9, 2016 by Julie_Pichon (2,740 points)   2 3
0 votes

http://www.gossamer-threads.com/lists/openstack/dev/38640

This is of your interest.

Sent from my iPhone

On Nov 9, 2016, at 6:55 AM, Justin Cattle j@ocado.com wrote:

Hi,

Apologies if this questions has been answered already, or is in some doc somewhere. Please point me in the right direction of so.

I'm upgrading openstack from Juno to Mitaka, in steps. We role our own openstack using puppet, and have been using identity v3 in Juno with domains via an ldap backend.

The upgrade process is largely created, tested and working, but not rolled out across our production sites yet.

However, I notice when I create a new cloud using openstack Mitaka from scratch, not upgraded from Juno, the member role is no longer created automatically when users are assigned to projects [ tenants in old money ]. I'm pretty sure this was happening in Juno, and the Juno docs seem to confirm it.
I believe horizon at least was using this role to allow users access.

I've noticed this because we have scripts to automate some user/group stuff, and the have some usage of the member role hard coded atm. They are failing, as the role doesn't exist on non-upgraded clouds :)

So I would like some advice/clarification on what the situation is.

What else, if anything, was the member role used for? heat maybe?

Is the member role no longer required at all, not even by horizon?

If it's no longer required, is it safe or desirable to remove the member role from upgraded clouds?

Cheers,
Just

Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.

If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled is a trading name of Marie Claire Beauty Limited, both members of the Ocado Group.

References to the “Ocado Group” are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 9, 2016 by Mohammed_Naser (3,860 points)   1 3
0 votes

Thanks all for the responses.
I have seen both of those threads already, but I wasn't 100% sure what I
was seeing was a design change or a bug.

For now I've added a "me too" to the keystone bug and I'll see what the
response is.

Thanks.

Cheers,
Just

On 9 November 2016 at 13:18, Mohammed Naser mnaser@vexxhost.com wrote:

http://www.gossamer-threads.com/lists/openstack/dev/38640

This is of your interest.

Sent from my iPhone

On Nov 9, 2016, at 6:55 AM, Justin Cattle j@ocado.com wrote:

Hi,

Apologies if this questions has been answered already, or is in some doc
somewhere. Please point me in the right direction of so.

I'm upgrading openstack from Juno to Mitaka, in steps. We role our own
openstack using puppet, and have been using identity v3 in Juno with
domains via an ldap backend.

The upgrade process is largely created, tested and working, but not rolled
out across our production sites yet.

However, I notice when I create a new cloud using openstack Mitaka from
scratch, not upgraded from Juno, the member role is no longer created
automatically when users are assigned to projects [ tenants in old money
]. I'm pretty sure this was happening in Juno, and the Juno docs seem to
confirm it.
I believe horizon at least was using this role to allow users access.

I've noticed this because we have scripts to automate some user/group
stuff, and the have some usage of the member role hard coded atm. They
are failing, as the role doesn't exist on non-upgraded clouds :)

So I would like some advice/clarification on what the situation is.

What else, if anything, was the member role used for? heat maybe?

Is the member role no longer required at all, not even by horizon?

If it's no longer required, is it safe or desirable to remove the member
role from upgraded clouds?

Cheers,
Just

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 10, 2016 by Justin_Cattle (620 points)   2 2
...