[openstack-dev] [keystone][nova] Struggling with non-admin user on Queens install
Neil Jerram
neil at tigera.io
Thu Aug 9 21:36:02 UTC 2018
It appears this is to do with Keystone v3-created users not having any role
assignment by default. Big thanks to lbragstad for helping me to
understand this on IRC; he also provided this link as historical context
for this situation: https://bugs.launchpad.net/keystone/+bug/1662911.
In detail, I was creating a non-admin project and user like this:
tenant = self.keystone3.projects.create(username,
"default",
description=description,
enabled=True)
user = self.keystone3.users.create(username,
domain="default",
project=tenant.id,
password=password)
With just that, that user won't be able to do anything; you need to give it
a role assignment as well, for example:
admin_role = None
for role in self.keystone3.roles.list():
_log.info("role: %r", role)
if role.name == 'admin':
admin_role = role
break
assert admin_role is not None, "Couldn't find 'admin' role"
self.keystone3.roles.grant(admin_role, user=user,
project=tenant)
I still don't have a good understanding of what 'admin' within that project
really means, or why it means that that user can then do, e.g.
nova.images.list(); but at least I have a working system again.
Regards,
Neil
On Thu, Aug 9, 2018 at 4:42 PM Neil Jerram <neil at tigera.io> wrote:
> I'd like to create a non-admin project and user that are able to do
> nova.images.list(), in a Queens install. IIUC, all users should be able to
> do that. I'm afraid I'm pretty lost and would appreciate any help.
>
> Define a function to test whether a particular set of credentials can do
> nova.images.list():
>
> from keystoneauth1 import identity
> from keystoneauth1 import session
> from novaclient.client import Client as NovaClient
>
> def attemp(auth):
> sess = session.Session(auth=auth)
> nova = NovaClient(2, session=sess)
> for i in nova.images.list():
> print i
>
> With an admin user, things work:
>
> >>> auth_url = "http://controller:5000/v3"
> >>> auth = identity.Password(auth_url=auth_url,
> >>> username="admin",
> >>> password="abcdef",
> >>> project_name="admin",
> >>> project_domain_id="default",
> >>> user_domain_id="default")
> >>> attemp(auth)
> <Image: ipv6_enabled_image>
> <Image: cirros-0.3.2-x86_64>
>
> With a non-admin user with project_id specified, 401:
>
> >>> tauth = identity.Password(auth_url=auth_url,
> ... username="tenant2",
> ... password="password",
> ... project_id="tenant2",
> ... user_domain_id="default")
> >>> attemp(tauth)
> ...
> keystoneauth1.exceptions.http.Unauthorized: The request you have made
> requires authentication. (HTTP 401) (Request-ID:
> req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)
>
> With the same but without project_id, I get an empty service catalog
> instead:
>
> >>> tauth = identity.Password(auth_url=auth_url,
> ... username="tenant2",
> ... password="password",
> ... #project_name="tenant2",
> ... #project_domain_id="default",
> ... user_domain_id="default")
> >>>
> >>> attemp(tauth)
> ...
> keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is
> empty.
>
> Can anyone help?
>
> Regards,
> Neil
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180809/a07c47f5/attachment.html>
More information about the OpenStack-dev
mailing list