[openstack-dev] Openstack CLI issues

Lance Bragstad lbragstad at gmail.com
Tue Jan 9 21:18:44 UTC 2018

On 01/09/2018 11:57 AM, Akshay Kapoor wrote:
> Hello Everyone !
> I am facing some issues with the Openstack CLI
> Scenario:
> I have a domain admin user account (say 'A')
> I want to assign this user as an 'admin' to two projects X and Y in
> the same domain.
> When I trigger the command 'openstack --insecure role add --user
> "$OS_USERNAME" --project "X" admin' , I get the following error:
> The request you have made requires authentication. (HTTP 401)
Are you sure your credentials are right when authenticating? Based
solely on the information provided there could be a couple of things
happening. The first is that the credentials provided to make the call
are incorrect. The second is that the user your attempting to
authenticate as to make the call doesn't have a role on the project
keystoneauth is trying to get a scoped token for (which can be denoted

If you were able to get a token and use it to make the call and if you
didn't have the right permissions to assign roles to other users you'd
be seeing a 403 instead of a 401.

Those are just a couple suggestions based on the information provided.
If you have access to the keystone logs you should see log warning or
debug messaging that might be more helpful (depending on the configuration).

Keystone does provide an administrator account during the bootstrap
process [0] which should have the proper role to do these operations
according to the default policies.

[0] https://docs.openstack.org/keystone/latest/admin/identity-bootstrap.html

> How can I add this admin user as an admin to two different tenants
> (where this admin account has no role previously). Once this role
> assignment is done, I want to setup rbac access between two projects
> 'X' and 'Y'
> Any help would be really appreciated. Thanks
> Best Regards,
> Akshay
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180109/8ccb23cf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180109/8ccb23cf/attachment.sig>

More information about the OpenStack-dev mailing list