[EXTERNAL] Re: [kolla][keystone] Another keycloak issue

Mark Goddard mark at stackhpc.com
Wed Jan 27 09:09:36 UTC 2021


On Tue, 26 Jan 2021 at 17:02, Braden, Albert
<C-Albert.Braden at charter.com> wrote:
>
> Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
>
> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test2
> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> | Role                             | User                                                             | Group | Project                          | Domain | System | Inherited |
> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test3
> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
> | Role                             | User                             | Group | Project                          | Domain | System | Inherited |
> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
> | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
>
> I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
>
> (openstack) [root at chrnc-area51-build-01 ~]# . ./test2-openrc.sh
> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
> The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1)
> (openstack) [root at chrnc-area51-build-01 ~]# . ./test3-openrc.sh
> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
>
> (openstack) [root at chrnc-area51-build-01 ~]#
>
> The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
>
I'm no expert on federation, but I understand that you need to use a
slightly different method with the CLI. This page has some info:
https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html



More information about the openstack-discuss mailing list