[openstack-dev] [keystone][nova] Struggling with non-admin user on Queens install
Neil Jerram
neil at tigera.io
Thu Aug 9 15:42:39 UTC 2018
I'd like to create a non-admin project and user that are able to do
nova.images.list(), in a Queens install. IIUC, all users should be able to
do that. I'm afraid I'm pretty lost and would appreciate any help.
Define a function to test whether a particular set of credentials can do
nova.images.list():
from keystoneauth1 import identity
from keystoneauth1 import session
from novaclient.client import Client as NovaClient
def attemp(auth):
sess = session.Session(auth=auth)
nova = NovaClient(2, session=sess)
for i in nova.images.list():
print i
With an admin user, things work:
>>> auth_url = "http://controller:5000/v3"
>>> auth = identity.Password(auth_url=auth_url,
>>> username="admin",
>>> password="abcdef",
>>> project_name="admin",
>>> project_domain_id="default",
>>> user_domain_id="default")
>>> attemp(auth)
<Image: ipv6_enabled_image>
<Image: cirros-0.3.2-x86_64>
With a non-admin user with project_id specified, 401:
>>> tauth = identity.Password(auth_url=auth_url,
... username="tenant2",
... password="password",
... project_id="tenant2",
... user_domain_id="default")
>>> attemp(tauth)
...
keystoneauth1.exceptions.http.Unauthorized: The request you have made
requires authentication. (HTTP 401) (Request-ID:
req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)
With the same but without project_id, I get an empty service catalog
instead:
>>> tauth = identity.Password(auth_url=auth_url,
... username="tenant2",
... password="password",
... #project_name="tenant2",
... #project_domain_id="default",
... user_domain_id="default")
>>>
>>> attemp(tauth)
...
keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.
Can anyone help?
Regards,
Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180809/d5e4bcb7/attachment.html>
More information about the OpenStack-dev
mailing list