Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username'

[kaitaklam]

• cinder-csi-plugin get error 'W0729 14:57:42.319850 1 main.go:108] Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username'

with cloud-config [Global] username = xxx password = cdm domain-id = default auth-url = http://..../identity region = RegionOne

steps:

update manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml with base64 encoded cloud-config

kubectl apply -f manifest/cinder-csi-plugin

error: kubectl logs csi-cinder-controllerplugin-0 -n kube-system -c cinder-csi-plugin I0729 14:57:42.309688 1 driver.go:69] Driver: cinder.csi.openstack.org I0729 14:57:42.309762 1 driver.go:70] Driver version: 1.2.0@latest I0729 14:57:42.309770 1 driver.go:71] CSI Spec version: 1.2.0 I0729 14:57:42.309782 1 driver.go:100] Enabling controller service capability: LIST_VOLUMES I0729 14:57:42.309790 1 driver.go:100] Enabling controller service capability: CREATE_DELETE_VOLUME I0729 14:57:42.309796 1 driver.go:100] Enabling controller service capability: PUBLISH_UNPUBLISH_VOLUME I0729 14:57:42.309802 1 driver.go:100] Enabling controller service capability: CREATE_DELETE_SNAPSHOT I0729 14:57:42.309807 1 driver.go:100] Enabling controller service capability: LIST_SNAPSHOTS I0729 14:57:42.309813 1 driver.go:100] Enabling controller service capability: EXPAND_VOLUME I0729 14:57:42.309832 1 driver.go:100] Enabling controller service capability: CLONE_VOLUME I0729 14:57:42.309837 1 driver.go:100] Enabling controller service capability: LIST_VOLUMES_PUBLISHED_NODES I0729 14:57:42.309842 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_WRITER I0729 14:57:42.309849 1 driver.go:122] Enabling node service capability: STAGE_UNSTAGE_VOLUME I0729 14:57:42.309862 1 driver.go:122] Enabling node service capability: EXPAND_VOLUME I0729 14:57:42.309869 1 driver.go:122] Enabling node service capability: GET_VOLUME_STATS I0729 14:57:42.310506 1 openstack.go:87] Block storage opts: {0 false} W0729 14:57:42.319850 1 main.go:108] Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username

But I do define: domain-id = default

[jichenjc]

I used domain-name and it works fine , how about give a try to see whether it's really something missing or other issue?

[kayrus]

@jichenjc @kaitaklam I assume you also have environment variables set along with the cloud.conf. Usually this error message comes from: https://github.com/gophercloud/gophercloud/blob/bd999d0da882fe8c5b0077b7af2dcc019c1ab458/auth_options.go#L310..L317 (see ErrDomainIDOrDomainName error type).

[jichenjc]

@kayrus good point, I don't have such issue as I only set domain-name and yes, this is something @kaitaklam can check on the env

[kayrus]

Another suspect: keystone v2. It doesn't support domain_id: https://github.com/gophercloud/utils/blob/b0167b94122ca14ce50258a760b4e9b22788f0d7/openstack/clientconfig/requests.go#L494

[kaitaklam]

@jichen: Can you share your cloud-config, then I can see the exact domain-id name in cloud-config that you are using? Thanks

I follow this procedure: https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-cinder-csi-plugin.md Using manifest Encode: base64 -w 0 $CLOUD_CONFIG and update in file manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml

But I am not aware that need to setup environment variable. At least I don’t know how.

Anyway I have also added domain-id: [Global] username = xxx password = xxx domain-id = default domain-name = Default auth-url = http://.../identity region = RegionOne

I still got the error: I0730 06:55:48.722468 1 driver.go:69] Driver: cinder.csi.openstack.org I0730 06:55:48.722574 1 driver.go:70] Driver version: 1.2.0@latest I0730 06:55:48.722584 1 driver.go:71] CSI Spec version: 1.2.0 I0730 06:55:48.722598 1 driver.go:100] Enabling controller service capability: LIST_VOLUMES I0730 06:55:48.722609 1 driver.go:100] Enabling controller service capability: CREATE_DELETE_VOLUME I0730 06:55:48.722618 1 driver.go:100] Enabling controller service capability: PUBLISH_UNPUBLISH_VOLUME I0730 06:55:48.722626 1 driver.go:100] Enabling controller service capability: CREATE_DELETE_SNAPSHOT I0730 06:55:48.722641 1 driver.go:100] Enabling controller service capability: LIST_SNAPSHOTS I0730 06:55:48.722655 1 driver.go:100] Enabling controller service capability: EXPAND_VOLUME I0730 06:55:48.722662 1 driver.go:100] Enabling controller service capability: CLONE_VOLUME I0730 06:55:48.722672 1 driver.go:100] Enabling controller service capability: LIST_VOLUMES_PUBLISHED_NODES I0730 06:55:48.722681 1 driver.go:112] Enabling volume access mode: SINGLE_NODE_WRITER I0730 06:55:48.722689 1 driver.go:122] Enabling node service capability: STAGE_UNSTAGE_VOLUME I0730 06:55:48.722699 1 driver.go:122] Enabling node service capability: EXPAND_VOLUME I0730 06:55:48.722706 1 driver.go:122] Enabling node service capability: GET_VOLUME_STATS I0730 06:55:48.724012 1 openstack.go:87] Block storage opts: {0 false} W0730 06:55:48.733515 1 main.go:108] Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username

Can you share your cloud-config, then I can see the exact domain-id name that you are using? Thanks,

Kai From: kayrus notifications@github.com Sent: Thursday, July 30, 2020 7:16 AM To: kubernetes/cloud-provider-openstack cloud-provider-openstack@noreply.github.com Cc: Kai Lam kai.lam@mavenir.com; Mention mention@noreply.github.com Subject: [E] Re: [kubernetes/cloud-provider-openstack] Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username' (#1137)

[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.

@jichenjchttps://github.com/jichenjc @kaitaklamhttps://github.com/kaitaklam I assume you also have environment variables set along with the cloud.conf. Usually this error message comes from: https://github.com/gophercloud/gophercloud/blob/bd999d0da882fe8c5b0077b7af2dcc019c1ab458/auth_options.go#L310..L317 (see ErrDomainIDOrDomainName error type).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/kubernetes/cloud-provider-openstack/issues/1137#issuecomment-666119340, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AM6WJTFLWKDD7VL35XZDVHLR6D6X7ANCNFSM4PLWBQWQ.

---

This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security@mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You

[kayrus]

@kaitaklam

Anyway I have also added domain-id:
[Global]
username = xxx
password = xxx
domain-id = default
domain-name = Default
auth-url = http://.../identity
region = RegionOne

• you specify both domain-id and domain-name, that is why you get You must provide exactly one of DomainID or DomainName to authenticate by Username error message
• you don't specify any project references. For V3 keystone this means you're obtaining domain scope and usually this doesn't make sense. For V2 keystone is just doesn't work, because V2 keystone doesn't know anything about domains.
• If you really want to get the domain scope without specifying a project reference, you have to use one of user-domain-id or user-domain-name and omit both domain-id and domain-name

[jichenjc]

@kaitaklam as @kayrus mentioned, you can follow his suggestion

this is what I am having: it works well with latest cloud provider and devstack (created a few days ago)

[Global]
auth-url=http://xxxxxxx/identity
username="admin"
password="secret"
tenant-id="xxxxx"
tenant-name="xxxxx"
domain-name="default"
region="RegionOne"

[kaitaklam]

@kayrus, Thanks for your good feedback.

This is the openrc file that I have downloaded from openstack (need to anonymize secrets etc). $env:OS_AUTH_URL='http://xxxxxxx/identity' $env:OS_PROJECT_ID='xxx' $env:OS_PROJECT_NAME='xxx’ $env:OS_USER_DOMAIN_NAME='Default' $env:OS_PROJECT_DOMAIN_ID='default' $env:OS_USERNAME='xxx' $env:OS_PASSWORD='xxx' $env:OS_REGION_NAME="RegionOne" $env:OS_INTERFACE='public' $env:OS_IDENTITY_API_VERSION=3 $env:OS_TENANT_ID = $Null $env:OS_TENANT_NAME= $Null

May be you can help me to create a cloud-config file?

Regards

Kai

From: kayrus notifications@github.com Sent: Thursday, July 30, 2020 9:07 AM To: kubernetes/cloud-provider-openstack cloud-provider-openstack@noreply.github.com Cc: Kai Lam kai.lam@mavenir.com; Mention mention@noreply.github.com Subject: [E] Re: [kubernetes/cloud-provider-openstack] Failed to GetOpenStackProvider: You must provide exactly one of DomainID or DomainName to authenticate by Username' (#1137)

[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.

@kaitaklamhttps://github.com/kaitaklam

Anyway I have also added domain-id:

[Global]

username = xxx

password = xxx

domain-id = default

domain-name = Default

auth-url = http://.../identity

region = RegionOne

• you specify both domain-id and domain-name, that is why you get You must provide exactly one of DomainID or DomainName to authenticate by Username error message
• you don't specify any project references. For V3 keystone this means you're obtaining domain scope and usually this doesn't make sense. For V2 keystone is just doesn't work, because V2 keystone doesn't know anything about domains.
• If you really want to get the domain scope without specifying a project reference, you have to use one of user-domain-id or user-domain-name and omit both domain-id and domain-name

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/kubernetes/cloud-provider-openstack/issues/1137#issuecomment-666173313, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AM6WJTCJZNYO3XWJUVW4G3TR6ELZXANCNFSM4PLWBQWQ.

---

This e-mail message may contain confidential or proprietary information of Mavenir Systems, Inc. or its affiliates and is intended solely for the use of the intended recipient(s). If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies in your control and contact us by e-mailing to security@mavenir.com. This message contains the views of its author and may not necessarily reflect the views of Mavenir Systems, Inc. or its affiliates, who employ systems to monitor email messages, but make no representation that such messages are authorized, secure, uncompromised, or free from computer viruses, malware, or other defects. Thank You

[kaitaklam]

I got is working now. This is my openrc file: $env:OS_AUTH_URL='http://xxxx/identity' $env:OS_PROJECT_ID='xxx' $env:OS_PROJECT_NAME='xxx' $env:OS_USER_DOMAIN_NAME='Default' $env:OS_PROJECT_DOMAIN_ID='default' $env:OS_USERNAME='xxx' $env:OS_PASSWORD='xxx' $env:OS_REGION_NAME="RegionOne" $env:OS_INTERFACE='public' $env:OS_IDENTITY_API_VERSION=3 $env:OS_TENANT_ID = $Null $env:OS_TENANT_NAME= $Null

cloud-config file: [Global] auth-url=http://xxx/identity username="xxx" password="xxx" user-domain-name="Default" project-id="xxx" region="RegionOne"

[lingxiankong]

Thanks both of you @kayrus and @jichenjc