<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 01/09/2018 11:57 AM, Akshay Kapoor
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK31V2m1C3UFZJMje8uxZL+O_zD_GswDGhF_pt7tceoh4Fik2A@mail.gmail.com">
<div dir="ltr">Hello Everyone !
<div><br>
</div>
<div>I am facing some issues with the Openstack CLI</div>
<div><br>
</div>
<div>Scenario:</div>
<div><br>
</div>
<div>I have a domain admin user account (say 'A')</div>
<div><br>
</div>
<div>I want to assign this user as an 'admin' to two projects X
and Y in the same domain.</div>
<div><br>
</div>
<div>When I trigger the command 'openstack --insecure role add
--user "$OS_USERNAME" --project "X" admin' , I get the
following error:</div>
<div><br>
</div>
<div>The request you have made requires authentication. (HTTP
401)<br>
</div>
</div>
</blockquote>
Are you sure your credentials are right when authenticating? Based
solely on the information provided there could be a couple of things
happening. The first is that the credentials provided to make the
call are incorrect. The second is that the user your attempting to
authenticate as to make the call doesn't have a role on the project
keystoneauth is trying to get a scoped token for (which can be
denoted using <br>
<br>
If you were able to get a token and use it to make the call and if
you didn't have the right permissions to assign roles to other users
you'd be seeing a 403 instead of a 401. <br>
<br>
Those are just a couple suggestions based on the information
provided. If you have access to the keystone logs you should see log
warning or debug messaging that might be more helpful (depending on
the configuration).<br>
<br>
Keystone does provide an administrator account during the bootstrap
process [0] which should have the proper role to do these operations
according to the default policies.<br>
<br>
[0]
<a class="moz-txt-link-freetext" href="https://docs.openstack.org/keystone/latest/admin/identity-bootstrap.html">https://docs.openstack.org/keystone/latest/admin/identity-bootstrap.html</a><br>
<br>
<blockquote type="cite"
cite="mid:CAK31V2m1C3UFZJMje8uxZL+O_zD_GswDGhF_pt7tceoh4Fik2A@mail.gmail.com">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>How can I add this admin user as an admin to two different
tenants (where this admin account has no role previously).
Once this role assignment is done, I want to setup rbac access
between two projects 'X' and 'Y'</div>
<div><br>
</div>
<div><br>
</div>
<div>Any help would be really appreciated. Thanks</div>
<div><br>
</div>
<div><br>
</div>
<div>Best Regards,</div>
<div>Akshay</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>