[openstack-dev] [keystone][nova] Struggling with non-admin user on Queens install

Neil Jerram neil at tigera.io
Thu Aug 9 15:42:39 UTC 2018


I'd like to create a non-admin project and user that are able to do
nova.images.list(), in a Queens install.  IIUC, all users should be able to
do that.  I'm afraid I'm pretty lost and would appreciate any help.

Define a function to test whether a particular set of credentials can do
nova.images.list():

from keystoneauth1 import identity
from keystoneauth1 import session
from novaclient.client import Client as NovaClient

def attemp(auth):
    sess = session.Session(auth=auth)
    nova = NovaClient(2, session=sess)
    for i in nova.images.list():
        print i

With an admin user, things work:

>>> auth_url = "http://controller:5000/v3"
>>> auth = identity.Password(auth_url=auth_url,
>>>                               username="admin",
>>>                               password="abcdef",
>>>                               project_name="admin",
>>>                               project_domain_id="default",
>>>                               user_domain_id="default")
>>> attemp(auth)
<Image: ipv6_enabled_image>
<Image: cirros-0.3.2-x86_64>

With a non-admin user with project_id specified, 401:

>>> tauth = identity.Password(auth_url=auth_url,
...                               username="tenant2",
...                               password="password",
...                               project_id="tenant2",
...                               user_domain_id="default")
>>> attemp(tauth)
...
keystoneauth1.exceptions.http.Unauthorized: The request you have made
requires authentication. (HTTP 401) (Request-ID:
req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)

With the same but without project_id, I get an empty service catalog
instead:

>>> tauth = identity.Password(auth_url=auth_url,
...                               username="tenant2",
...                               password="password",
...                               #project_name="tenant2",
...                               #project_domain_id="default",
...                               user_domain_id="default")
>>>
>>> attemp(tauth)
...
keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.

Can anyone help?

Regards,
     Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180809/d5e4bcb7/attachment.html>


More information about the OpenStack-dev mailing list