<font size=2 face="sans-serif">Hey Erich,</font>
<br>
<br><font size=2 face="sans-serif">Did you grant the admin user the admin
role on the other projects?</font>
<br><font size=2 face="sans-serif">i.e. `$ keystone user-role-add --user
admin --role admin --tenant cbse`</font>
<br>
<br><font size=2 face="sans-serif">You can try adding --debug to keystone
tenant-list, and see if the output is a bit more helpful.</font>
<br><font size=2 face="sans-serif">`$ keystone --debug tenant-list`</font>
<br><font size=2 face="sans-serif"><br>
Can you double check that the OS_SERVICE_TOKEN is removed from your environment?</font>
<br><font size=2 face="sans-serif">`$ env | grep OS`</font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br><font size=2 face="sans-serif">stevemar</font>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:      
 </font><font size=1 face="sans-serif">Erich Weiler <weiler@soe.ucsc.edu></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:      
 </font><font size=1 face="sans-serif">openstack <openstack@lists.openstack.org>,
</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:      
 </font><font size=1 face="sans-serif">04/28/2014 04:14 PM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:    
   </font><font size=1 face="sans-serif">[Openstack]
Keystone admin user not really "admin"</font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>Hi Y'all,<br>
<br>
I'm having this very odd problem with the keystone "admin" user,
under <br>
Icehouse, for my internal proof-of-concept openstack cluster.<br>
<br>
I created an "admin" user and an "admin" tenant, then
assigned the roles <br>
as such (these commands run with the admin OS_SERVICE_TOKEN):<br>
<br>
keystone tenant-list<br>
WARNING: Bypassing authentication using a token & endpoint <br>
(authentication credentials are being ignored).<br>
+----------------------------------+---------+---------+<br>
|                id    
           |   name  | enabled
|<br>
+----------------------------------+---------+---------+<br>
| 5927cd6622ed4a7ab11516927f4181e5 |  admin  |   True  |<br>
| 7c1980078e044cb08250f628cbe73d29 |   cbse  |   True  |<br>
| 97c559c870b64f24b43e246a523a331d | service |   True  |<br>
+----------------------------------+---------+---------+<br>
<br>
keystone user-get admin<br>
WARNING: Bypassing authentication using a token & endpoint <br>
(authentication credentials are being ignored).<br>
+----------+----------------------------------+<br>
| Property |              Value  
            |<br>
+----------+----------------------------------+<br>
|  email   |    cluster-admin@soe.ucsc.edu    |<br>
| enabled  |               True
              |<br>
|    id    | 99b501f662704849852514a853ab55ca |<br>
|   name   |              admin
              |<br>
| username |              admin  
            |<br>
+----------+----------------------------------+<br>
<br>
keystone user-role-list --user admin --tenant admin<br>
WARNING: Bypassing authentication using a token & endpoint <br>
(authentication credentials are being ignored).<br>
+----------------------------------+----------+----------------------------------+----------------------------------+<br>
|                id    
           |   name   |  
          user_id <br>
          |          
 tenant_id             |<br>
+----------------------------------+----------+----------------------------------+----------------------------------+<br>
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | <br>
99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |<br>
| eb2badd0ce364882bf0ecedcaf51ec9f |  admin   | <br>
99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |<br>
+----------------------------------+----------+----------------------------------+----------------------------------+<br>
<br>
However, when I remove the OS_SERVICE_TOKEN from my ENV variables and <br>
re-login, just using the following:<br>
<br>
export OS_USERNAME=admin<br>
export OS_PASSWORD=xxxxxx<br>
export OS_TENANT_NAME=admin<br>
export OS_AUTH_URL=http://myserver.local:35357/v2.0<br>
<br>
I seem to authenticate OK, but I can't seem to do "admin" like
things. <br>
When I was experimenting with Icehouse RC1 this worked just fine, but <br>
now it doesn't work.  Like, I try this:<br>
<br>
# keystone user-list<br>
The resource could not be found. (HTTP 404)<br>
<br>
keystone tenant-list<br>
+----------------------------------+-------+---------+<br>
|                id    
           |  name | enabled |<br>
+----------------------------------+-------+---------+<br>
| 5927cd6622ed4a7ab11516927f4181e5 | admin |   True  |<br>
+----------------------------------+-------+---------+<br>
<br>
<br>
Even though there are more tenants than just that one tenant, as shown
<br>
above.  It almost seems the like "admin" user here is "just
another <br>
user", one without admin rights.<br>
<br>
I looked in the keystone logs when trying the last "keystone user-list"
<br>
command and saw this:<br>
<br>
2014-04-28 12:53:56.891 17613 DEBUG keystone.middleware.core [-] Auth <br>
token not in the request header. Will not build auth context. <br>
process_request <br>
/usr/lib/python2.6/site-packages/keystone/middleware/core.py:271<br>
2014-04-28 12:53:56.893 17613 DEBUG keystone.common.wsgi [-] arg_dict:
<br>
{} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181<br>
2014-04-28 12:53:56.899 17613 DEBUG keystone.notifications [-] CADF <br>
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', <br>
'initiator': {'typeURI': 'service/security/account/user', 'host': <br>
{'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id': <br>
'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name': <br>
u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI': <br>
'service/security/account/user', 'id': <br>
'openstack:c3e6a002-f10f-4323-9da4-0c5c91f278f3'}, 'observer': <br>
{'typeURI': 'service/security', 'id': <br>
'openstack:3cbbc605-427e-433e-b329-d9e6d4b5c16e'}, 'eventType': <br>
'activity', 'eventTime': '2014-04-28T19:53:56.898906+0000', 'action': <br>
'authenticate', 'outcome': 'pending', 'id': <br>
'openstack:8f9605fe-9498-4d37-9024-d13767af8382'} <br>
_send_audit_notification <br>
/usr/lib/python2.6/site-packages/keystone/notifications.py:289<br>
2014-04-28 12:53:56.948 17613 DEBUG keystone.notifications [-] CADF <br>
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', <br>
'initiator': {'typeURI': 'service/security/account/user', 'host': <br>
{'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id': <br>
'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name': <br>
u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI': <br>
'service/security/account/user', 'id': <br>
'openstack:6955d3f0-41da-49c0-9f1b-025d60195a5f'}, 'observer': <br>
{'typeURI': 'service/security', 'id': <br>
'openstack:07ce1f0d-cd8d-495e-9e93-5a60dd0abb33'}, 'eventType': <br>
'activity', 'eventTime': '2014-04-28T19:53:56.947942+0000', 'action': <br>
'authenticate', 'outcome': 'success', 'id': <br>
'openstack:b8335d16-2f9a-42bf-bfb8-071c07d4206d'} <br>
_send_audit_notification <br>
/usr/lib/python2.6/site-packages/keystone/notifications.py:289<br>
2014-04-28 12:53:57.002 17613 INFO eventlet.wsgi.server [-] 10.1.1.147
- <br>
- [28/Apr/2014 12:53:57] "POST /v2.0/tokens HTTP/1.1" 200 6397
0.111563<br>
2014-04-28 12:53:57.020 17613 DEBUG keystone.middleware.core [-] RBAC:
<br>
auth_context: {'project_id': u'5927cd6622ed4a7ab11516927f4181e5', <br>
'user_id': u'99b501f662704849852514a853ab55ca', 'roles': [u'_member_',
<br>
u'admin']} process_request <br>
/usr/lib/python2.6/site-packages/keystone/middleware/core.py:281<br>
2014-04-28 12:53:57.023 17613 INFO eventlet.wsgi.server [-] 10.1.1.147
- <br>
- [28/Apr/2014 12:53:57] "GET /v2.0/users HTTP/1.1" 404 228 0.008255<br>
<br>
It explicitly states 'roles': [u'_member_', u'admin'] so I figure it <br>
dhould work?  Anyone seen anything like this before?  Maybe I
made a <br>
typo somewhere?<br>
<br>
My keystone policy.json file is un-tampered with and contains the <br>
default settings:<br>
<br>
{<br>
     "admin_required": "role:admin or is_admin:1",<br>
     "service_role": "role:service",<br>
     "service_or_admin": "rule:admin_required
or rule:service_role",<br>
     "owner" : "user_id:%(user_id)s",<br>
     "admin_or_owner": "rule:admin_required or
rule:owner",<br>
<br>
     "default": "rule:admin_required",<br>
<br>
     "identity:get_region": "",<br>
     "identity:list_regions": "",<br>
     "identity:create_region": "rule:admin_required",<br>
     "identity:update_region": "rule:admin_required",<br>
     "identity:delete_region": "rule:admin_required",<br>
<br>
     "identity:get_service": "rule:admin_required",<br>
     "identity:list_services": "rule:admin_required",<br>
     "identity:create_service": "rule:admin_required",<br>
     "identity:update_service": "rule:admin_required",<br>
     "identity:delete_service": "rule:admin_required",<br>
<br>
     "identity:get_endpoint": "rule:admin_required",<br>
     "identity:list_endpoints": "rule:admin_required",<br>
     "identity:create_endpoint": "rule:admin_required",<br>
     "identity:update_endpoint": "rule:admin_required",<br>
     "identity:delete_endpoint": "rule:admin_required",<br>
<br>
     "identity:get_domain": "rule:admin_required",<br>
     "identity:list_domains": "rule:admin_required",<br>
     "identity:create_domain": "rule:admin_required",<br>
     "identity:update_domain": "rule:admin_required",<br>
     "identity:delete_domain": "rule:admin_required",<br>
<br>
     "identity:get_project": "rule:admin_required",<br>
     "identity:list_projects": "rule:admin_required",<br>
     "identity:list_user_projects": "rule:admin_or_owner",<br>
     "identity:create_project": "rule:admin_required",<br>
     "identity:update_project": "rule:admin_required",<br>
     "identity:delete_project": "rule:admin_required",<br>
<br>
     "identity:get_user": "rule:admin_required",<br>
     "identity:list_users": "rule:admin_required",<br>
     "identity:create_user": "rule:admin_required",<br>
     "identity:update_user": "rule:admin_required",<br>
     "identity:delete_user": "rule:admin_required",<br>
     "identity:change_password": "rule:admin_or_owner",<br>
<br>
     "identity:get_group": "rule:admin_required",<br>
     "identity:list_groups": "rule:admin_required",<br>
     "identity:list_groups_for_user": "rule:admin_or_owner",<br>
     "identity:create_group": "rule:admin_required",<br>
     "identity:update_group": "rule:admin_required",<br>
     "identity:delete_group": "rule:admin_required",<br>
     "identity:list_users_in_group": "rule:admin_required",<br>
     "identity:remove_user_from_group": "rule:admin_required",<br>
     "identity:check_user_in_group": "rule:admin_required",<br>
     "identity:add_user_to_group": "rule:admin_required",<br>
<br>
     "identity:get_credential": "rule:admin_required",<br>
     "identity:list_credentials": "rule:admin_required",<br>
     "identity:create_credential": "rule:admin_required",<br>
     "identity:update_credential": "rule:admin_required",<br>
     "identity:delete_credential": "rule:admin_required",<br>
<br>
     "identity:ec2_get_credential": "rule:admin_or_owner",<br>
     "identity:ec2_list_credentials": "rule:admin_or_owner",<br>
     "identity:ec2_create_credential": "rule:admin_or_owner",<br>
     "identity:ec2_delete_credential": "rule:admin_required
or <br>
(rule:owner and user_id:%(target.credential.user_id)s)",<br>
<br>
     "identity:get_role": "rule:admin_required",<br>
     "identity:list_roles": "rule:admin_required",<br>
     "identity:create_role": "rule:admin_required",<br>
     "identity:update_role": "rule:admin_required",<br>
     "identity:delete_role": "rule:admin_required",<br>
<br>
     "identity:check_grant": "rule:admin_required",<br>
     "identity:list_grants": "rule:admin_required",<br>
     "identity:create_grant": "rule:admin_required",<br>
     "identity:revoke_grant": "rule:admin_required",<br>
<br>
     "identity:list_role_assignments": "rule:admin_required",<br>
<br>
     "identity:get_policy": "rule:admin_required",<br>
     "identity:list_policies": "rule:admin_required",<br>
     "identity:create_policy": "rule:admin_required",<br>
     "identity:update_policy": "rule:admin_required",<br>
     "identity:delete_policy": "rule:admin_required",<br>
<br>
     "identity:check_token": "rule:admin_required",<br>
     "identity:validate_token": "rule:service_or_admin",<br>
     "identity:validate_token_head": "rule:service_or_admin",<br>
     "identity:revocation_list": "rule:service_or_admin",<br>
     "identity:revoke_token": "rule:admin_or_owner",<br>
<br>
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",<br>
     "identity:get_trust": "rule:admin_or_owner",<br>
     "identity:list_trusts": "",<br>
     "identity:list_roles_for_trust": "",<br>
     "identity:check_role_for_trust": "",<br>
     "identity:get_role_for_trust": "",<br>
     "identity:delete_trust": "",<br>
<br>
     "identity:create_consumer": "rule:admin_required",<br>
     "identity:get_consumer": "rule:admin_required",<br>
     "identity:list_consumers": "rule:admin_required",<br>
     "identity:delete_consumer": "rule:admin_required",<br>
     "identity:update_consumer": "rule:admin_required",<br>
<br>
     "identity:authorize_request_token": "rule:admin_required",<br>
     "identity:list_access_token_roles": "rule:admin_required",<br>
     "identity:get_access_token_role": "rule:admin_required",<br>
     "identity:list_access_tokens": "rule:admin_required",<br>
     "identity:get_access_token": "rule:admin_required",<br>
     "identity:delete_access_token": "rule:admin_required",<br>
<br>
     "identity:list_projects_for_endpoint": "rule:admin_required",<br>
     "identity:add_endpoint_to_project": "rule:admin_required",<br>
     "identity:check_endpoint_in_project": "rule:admin_required",<br>
     "identity:list_endpoints_for_project": "rule:admin_required",<br>
     "identity:remove_endpoint_from_project": "rule:admin_required",<br>
<br>
     "identity:create_identity_provider": "rule:admin_required",<br>
     "identity:list_identity_providers": "rule:admin_required",<br>
     "identity:get_identity_providers": "rule:admin_required",<br>
     "identity:update_identity_provider": "rule:admin_required",<br>
     "identity:delete_identity_provider": "rule:admin_required",<br>
<br>
     "identity:create_protocol": "rule:admin_required",<br>
     "identity:update_protocol": "rule:admin_required",<br>
     "identity:get_protocol": "rule:admin_required",<br>
     "identity:list_protocols": "rule:admin_required",<br>
     "identity:delete_protocol": "rule:admin_required",<br>
<br>
     "identity:create_mapping": "rule:admin_required",<br>
     "identity:get_mapping": "rule:admin_required",<br>
     "identity:list_mappings": "rule:admin_required",<br>
     "identity:delete_mapping": "rule:admin_required",<br>
     "identity:update_mapping": "rule:admin_required",<br>
<br>
     "identity:list_projects_for_groups": "",<br>
     "identity:list_domains_for_groups": "",<br>
<br>
     "identity:list_revoke_events": ""<br>
}<br>
<br>
Can anyone see my mistake?  Maybe I encountered a bug??<br>
<br>
Thanks for any idea!!!<br>
<br>
cheers,<br>
-erich<br>
<br>
_______________________________________________<br>
Mailing list: </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</font></tt></a><tt><font size=2><br>
Post to     : openstack@lists.openstack.org<br>
Unsubscribe : </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</font></tt></a><tt><font size=2><br>
<br>
</font></tt>
<br>