-----Original Message----- From: Mark Goddard <mark@stackhpc.com> Sent: Tuesday, January 26, 2021 3:47 AM To: Braden, Albert <C-Albert.Braden@charter.com> Cc: openstack-discuss@lists.openstack.org Subject: [EXTERNAL] Re: [kolla][keystone] Keycloak "More than one user" error
CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.
Adding keystone tag.
On Mon, 25 Jan 2021 at 13:35, Braden, Albert <C-Albert.Braden@charter.com> wrote:
We’re running Train on Centos 7, and using Keycloak for auth. After I setup Keycloak, create a user in Keycloak, and then login to Horizon via Keycloak, a user is created in Keystone:
...
Where should I be looking for the cause of this error?
Have you checked if there are other test users in a different domain?
I think I successfully checked that. Looking at " openstack help user list" I see that it allows me to filter users by domain, group or project. It appears that not adding any filters will show all users in all domains. Also I checked the database. I tried deleting the "test" user: (openstack) [root@chrnc-area51-build-01 config]# os user show test More than one user exists with the name 'test'. (openstack) [root@chrnc-area51-build-01 config]# os user delete test Failed to delete user with name or ID 'test': More than one user exists with the name 'test'. 1 of 1 users failed to delete. (openstack) [root@chrnc-area51-build-01 config]# os user list +------------------------------------------------------------------+-------------------+ | ID | Name | +------------------------------------------------------------------+-------------------+ | ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2 | test | | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | test2 | | e81999534559450688c730aad58738dc | admin | | 23fb5632aaa548b68871634577c5bf42 | glance | | 5e7d65357275446bbc2007826327350d | cinder | | 76217f42ce37481faa69b6b610e65f19 | placement | | e1832eb444044d7f8a266d22d517dc98 | nova | | cba584661261497f9b522c4752120d5f | neutron | | 034d6fcd28ef4b61b5e56d1dc79c9927 | heat | | 6d38774ad4614764932cb338add97403 | heat_domain_admin | | 59f68b88481e4e738f4a4943ff6c6496 | masakari | | 5d539533ecda4bd197a6ed281c6d268b | abraden | | 5d5f353f00434d9195208efad74f8113 | adjutant | +------------------------------------------------------------------+-------------------+ (openstack) [root@chrnc-area51-build-01 config]# os user delete ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2 (openstack) [root@chrnc-area51-build-01 config]# os user show test No user with a name or ID of 'test' exists. After deleting the "test" user, and then re-creating it with a Keycloak login, the problem goes away. It seems to only happen with the first Keycloak user on a new cluster. (openstack) [root@chrnc-area51-build-01 config]# os user show test +---------------------+------------------------------------------------------------------+ | Field | Value | +---------------------+------------------------------------------------------------------+ | domain_id | 4678301ef9a24d54bcd2e87a8fbc6872 | | email | test@example.com | | enabled | True | | id | ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2 | | name | test | | options | {} | | password_expires_at | None | +---------------------+------------------------------------------------------------------+ E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.