[openstack-dev] [Keystone V3] not able to cloud_admin user within the admin_domain domain
foss geek
thefossgeek at gmail.com
Thu Jul 17 05:33:20 UTC 2014
Dear All,
I have 3 node openstack (controller + compute+ storage node) deployment. I
have integrated keystone with OpenLDAP.
I have configure keystone to do authentication through LDAP and assignment
from SQL.
Here is configuration entry in keystone.conf
[identity]
driver = keystone.identity.backends.ldap.Identity
[assignment]
driver = keystone.assignment.backends.sql.Assignment
Here is LDAP Schema:
# cat tcl.ldif
dn: dc=TCL
dc: TCL
objectclass: top
objectclass: domain
dn: ou=TCL,dc=TCL
objectClass: organizationalUnit
objectClass: top
ou: TCL
I have manually created openstack service user and admin user so that the
LDAP driver can place necessary details in LDAP database. I am able to
login to openstack as admin user and all functionality are working fine
post LDAP integration.
Here is my LDAP schema with admin and service user.
# ldapsearch -x -h <localhost> -W -D"dc=Manager,dc=TCL" -b dc=TCL }}
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=TCL> with scope subtree
# filter: (objectclass=*)
# requesting: }}
#
# TCL
dn: dc=TCL
# TCL, TCL
dn: ou=TCL,dc=TCL
# a8f8ed812aba458ba42d0fbfc0145bd4, TCL, TCL
dn: cn=a8f8ed812aba458ba42d0fbfc0145bd4,ou=TCL,dc=TCL
# c8d9eef1a2044f08b6ae5eb509ff3c83, TCL, TCL
dn: cn=c8d9eef1a2044f08b6ae5eb509ff3c83,ou=TCL,dc=TCL
# 8c4a189b78204b2c87a9e70997afa4fe, TCL, TCL
dn: cn=8c4a189b78204b2c87a9e70997afa4fe,ou=TCL,dc=TCL
# 5c90951603a444db826eb48672843183, TCL, TCL
dn: cn=5c90951603a444db826eb48672843183,ou=TCL,dc=TCL
# 1c60c85acf3942cebbdec91fea1d9b75, TCL, TCL
dn: cn=1c60c85acf3942cebbdec91fea1d9b75,ou=TCL,dc=TCL
# bbc4d9fa57724d31ba016f572951a474, TCL, TCL
dn: cn=bbc4d9fa57724d31ba016f572951a474,ou=TCL,dc=TCL
# 78839ea49f82468b831efb6c08167360, TCL, TCL
dn: cn=78839ea49f82468b831efb6c08167360,ou=TCL,dc=TCL
# search result
search: 2
result: 0 Success
# numResponses: 10
# numEntries: 9
Now I am trying to enable Keystone V3.0 API. I am following this url :
http://www.florentflament.com/blog/setting-keystone-v3-domains.html
ADMIN_TOKEN=$(\
curl http://192.169.0.2:5000/v3/auth/tokens \
-s \
-i \
-H "Content-Type: application/json" \
-d '
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "Default"
},
"name": "admin",
"password": "I0DzaQ3LkSUpS1eW89"
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "admin"
}
}
}
}' | grep ^X-Subject-Token: | awk '{print $2}' )
# echo $ADMIN_TOKEN
be1a1c02623740aeb72fa8c2dfdb8bbb
ID_ADMIN_DOMAIN=$(\
curl http://192.169.0.2:5000/v3/domains \
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '
{
"domain": {
"enabled": true,
"name": "admin_domain"
}
}' | jq .domain.id | tr -d '"' )
# echo $ID_ADMIN_DOMAIN
null
I am getting the below error message:
{"error": {"message": "Conflict occurred attempting to store domain.
(IntegrityError) (1062, \"Duplicate entry 'admin_domain' for key 'name'\")
'INSERT INTO domain (id, name, enabled, extra) VALUES (%s, %s, %s, %s)'
('ea3e791ffa524ca29e43099682ceee8f', 'admin_domain', 1, '{}')", "code":
409, "title": "Conflict"}}
It says that admin_domain is already exist. It seems by default it comes
with admin_domain and default domain. Here is my domain list.
# curl -X GET -H "X-Auth-token:$ADMIN_TOKEN"
http://192.169.0.2:5000/v3/domains | jq '.domains'
[
{
"name": "admin_domain",
"links": {
"self": "
http://192.169.0.2:5000/v3/domains/1fdf6cd4da99480797d3e2a08d6a8591"
},
"id": "1fdf6cd4da99480797d3e2a08d6a8591",
"enabled": true
},
{
"id": "default",
"name": "Default",
"description": "Owns users and tenants (i.e. projects) available on
Identity API v2.",
"enabled": true,
"links": {
"self": "http://192.169.0.2:5000/v3/domains/default"
}
}
]
I have manually added ID_CLOUD_ADMIN variable.
# ID_CLOUD_ADMIN=1fdf6cd4da99480797d3e2a08d6a8591
# echo $ID_CLOUD_ADMIN
1fdf6cd4da99480797d3e2a08d6a8591
The problem is when I try to create cloud_admin user it fails with Could
not find domain.
ID_CLOUD_ADMIN=$(\
curl http://192.169.0.2:5000/v3/users \
-s \
-H "X-Auth-Token: $ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d "
{
\"user\": {
\"description\": \"Cloud administrator\",
\"domain_id\": \"$ID_ADMIN_DOMAIN\",
\"enabled\": true,
\"name\": \"cloud_admin\",
\"password\": \"password\"
}
}" | jq .user.id | tr -d '"' )
# echo $ID_CLOUD_ADMIN
null
{"error": {"message": "Could not find domain, null.", "code": 404, "title":
"Not Found"}}
Any body faced similar issue?
Do I need to delete existing admin_domain and create it again?
I need some one help to understand it better.
Thanks for your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140717/bac929e5/attachment.html>
More information about the OpenStack-dev
mailing list