[openstack-dev] [keystone][nova] Struggling with non-admin user on Queens install

Neil Jerram neil at tigera.io
Thu Aug 9 21:36:02 UTC 2018


It appears this is to do with Keystone v3-created users not having any role
assignment by default.  Big thanks to lbragstad for helping me to
understand this on IRC; he also provided this link as historical context
for this situation: https://bugs.launchpad.net/keystone/+bug/1662911.

In detail, I was creating a non-admin project and user like this:

                tenant = self.keystone3.projects.create(username,
                                                        "default",

description=description,
                                                        enabled=True)
                user = self.keystone3.users.create(username,
                                                   domain="default",
                                                   project=tenant.id,
                                                   password=password)

With just that, that user won't be able to do anything; you need to give it
a role assignment as well, for example:

            admin_role = None
            for role in self.keystone3.roles.list():
                _log.info("role: %r", role)
                if role.name == 'admin':
                    admin_role = role
                    break
            assert admin_role is not None, "Couldn't find 'admin' role"
            self.keystone3.roles.grant(admin_role, user=user,
project=tenant)

I still don't have a good understanding of what 'admin' within that project
really means, or why it means that that user can then do, e.g.
nova.images.list(); but at least I have a working system again.

Regards,
     Neil


On Thu, Aug 9, 2018 at 4:42 PM Neil Jerram <neil at tigera.io> wrote:

> I'd like to create a non-admin project and user that are able to do
> nova.images.list(), in a Queens install.  IIUC, all users should be able to
> do that.  I'm afraid I'm pretty lost and would appreciate any help.
>
> Define a function to test whether a particular set of credentials can do
> nova.images.list():
>
> from keystoneauth1 import identity
> from keystoneauth1 import session
> from novaclient.client import Client as NovaClient
>
> def attemp(auth):
>     sess = session.Session(auth=auth)
>     nova = NovaClient(2, session=sess)
>     for i in nova.images.list():
>         print i
>
> With an admin user, things work:
>
> >>> auth_url = "http://controller:5000/v3"
> >>> auth = identity.Password(auth_url=auth_url,
> >>>                               username="admin",
> >>>                               password="abcdef",
> >>>                               project_name="admin",
> >>>                               project_domain_id="default",
> >>>                               user_domain_id="default")
> >>> attemp(auth)
> <Image: ipv6_enabled_image>
> <Image: cirros-0.3.2-x86_64>
>
> With a non-admin user with project_id specified, 401:
>
> >>> tauth = identity.Password(auth_url=auth_url,
> ...                               username="tenant2",
> ...                               password="password",
> ...                               project_id="tenant2",
> ...                               user_domain_id="default")
> >>> attemp(tauth)
> ...
> keystoneauth1.exceptions.http.Unauthorized: The request you have made
> requires authentication. (HTTP 401) (Request-ID:
> req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)
>
> With the same but without project_id, I get an empty service catalog
> instead:
>
> >>> tauth = identity.Password(auth_url=auth_url,
> ...                               username="tenant2",
> ...                               password="password",
> ...                               #project_name="tenant2",
> ...                               #project_domain_id="default",
> ...                               user_domain_id="default")
> >>>
> >>> attemp(tauth)
> ...
> keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is
> empty.
>
> Can anyone help?
>
> Regards,
>      Neil
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180809/a07c47f5/attachment.html>


More information about the OpenStack-dev mailing list