<div dir="ltr">It appears this is to do with Keystone v3-created users not having any role assignment by default.  Big thanks to lbragstad for helping me to understand this on IRC; he also provided this link as historical context for this situation: <a href="https://bugs.launchpad.net/keystone/+bug/1662911">https://bugs.launchpad.net/keystone/+bug/1662911</a>.<div><br></div><div>In detail, I was creating a non-admin project and user like this:</div><div><br></div><div><div>                tenant = self.keystone3.projects.create(username,<br></div><div>                                                        "default",</div><div>                                                        description=description,</div><div>                                                        enabled=True)</div><div>                user = self.keystone3.users.create(username,<br></div><div>                                                   domain="default",</div><div>                                                   project=<a href="http://tenant.id">tenant.id</a>,</div><div>                                                   password=password)</div></div><div><br></div><div>With just that, that user won't be able to do anything; you need to give it a role assignment as well, for example:</div><div><br></div><div><div>            admin_role = None</div><div>            for role in self.keystone3.roles.list():</div><div>                _<a href="http://log.info">log.info</a>("role: %r", role)</div><div>                if <a href="http://role.name">role.name</a> == 'admin':</div><div>                    admin_role = role</div><div>                    break</div><div>            assert admin_role is not None, "Couldn't find 'admin' role"</div><div>            self.keystone3.roles.grant(admin_role, user=user, project=tenant)</div></div><div><br></div><div>I still don't have a good understanding of what 'admin' within that project really means, or why it means that that user can then do, e.g. nova.images.list(); but at least I have a working system again.</div><div><br></div><div>Regards,</div><div>     Neil</div><div><br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 9, 2018 at 4:42 PM Neil Jerram <<a href="mailto:neil@tigera.io">neil@tigera.io</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I'd like to create a non-admin project and user that are able to do nova.images.list(), in a Queens install.  IIUC, all users should be able to do that.  I'm afraid I'm pretty lost and would appreciate any help.<div><br></div><div>Define a function to test whether a particular set of credentials can do nova.images.list():</div><div><br></div><div><div>from keystoneauth1 import identity</div><div>from keystoneauth1 import session</div><div>from novaclient.client import Client as NovaClient</div><div><br></div><div><div>def attemp(auth):</div><div>    sess = session.Session(auth=auth)</div><div>    nova = NovaClient(2, session=sess)</div><div>    for i in nova.images.list():</div><div>        print i</div></div><div><br></div><div>With an admin user, things work:</div><div><br></div><div><div>>>> auth_url = "<a href="http://controller:5000/v3" target="_blank">http://controller:5000/v3</a>"</div><div>>>> auth = identity.Password(auth_url=auth_url,</div><div>>>>                               username="admin",</div><div>>>>                               password="abcdef",</div><div>>>>                               project_name="admin",</div><div>>>>                               project_domain_id="default",</div><div>>>>                               user_domain_id="default")</div></div><div>>>> attemp(auth)</div><div><div><Image: ipv6_enabled_image></div><div><Image: cirros-0.3.2-x86_64></div></div><div><br></div><div>With a non-admin user with project_id specified, 401:</div></div><div><br></div><div><div>>>> tauth = identity.Password(auth_url=auth_url,</div><div>...                               username="tenant2",</div><div>...                               password="password",</div><div>...                               project_id="tenant2",</div><div>...                               user_domain_id="default")</div><div>>>> attemp(tauth)</div><div>...</div><div>keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)<br></div></div><div><br></div><div>With the same but without project_id, I get an empty service catalog instead:</div><div><br></div><div><div>>>> tauth = identity.Password(auth_url=auth_url,</div><div>...                               username="tenant2",</div><div>...                               password="password",</div><div>...                               #project_name="tenant2",</div><div>...                               #project_domain_id="default",</div><div>...                               user_domain_id="default")</div><div>>>> </div><div>>>> attemp(tauth)</div><div>...</div><div>keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.<br></div></div><div><br></div><div>Can anyone help?</div><div><br></div><div>Regards,</div><div>     Neil</div><div><br></div></div>
</blockquote></div></div>