[EXTERNAL] Re: [kolla][keystone] Keycloak "More than one user" error

Braden, Albert C-Albert.Braden at charter.com
Tue Jan 26 13:29:10 UTC 2021

>-----Original Message-----
>From: Mark Goddard <mark at stackhpc.com> 
>Sent: Tuesday, January 26, 2021 3:47 AM
>To: Braden, Albert <C-Albert.Braden at charter.com>
>Cc: openstack-discuss at lists.openstack.org
>Subject: [EXTERNAL] Re: [kolla][keystone] Keycloak "More than one user" error
>CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.
>Adding keystone tag.
>On Mon, 25 Jan 2021 at 13:35, Braden, Albert
><C-Albert.Braden at charter.com> wrote:
>> We’re running Train on Centos 7, and using Keycloak for auth. After I setup Keycloak, create a user in Keycloak, and then login to Horizon via Keycloak, a user is created in Keystone:


>> Where should I be looking for the cause of this error?

>Have you checked if there are other test users in a different domain?

I think I successfully checked that. Looking at " openstack help user list" I see that it allows me to filter users by domain, group or project. It appears that not adding any filters will show all users in all domains. Also I checked the database.

I tried deleting the "test" user:

(openstack) [root at chrnc-area51-build-01 config]# os user show test
More than one user exists with the name 'test'.
(openstack) [root at chrnc-area51-build-01 config]# os user delete test
Failed to delete user with name or ID 'test': More than one user exists with the name 'test'.
1 of 1 users failed to delete.
(openstack) [root at chrnc-area51-build-01 config]# os user list
| ID                                                               | Name              |
| ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2 | test              |
| f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | test2             |
| e81999534559450688c730aad58738dc                                 | admin             |
| 23fb5632aaa548b68871634577c5bf42                                 | glance            |
| 5e7d65357275446bbc2007826327350d                                 | cinder            |
| 76217f42ce37481faa69b6b610e65f19                                 | placement         |
| e1832eb444044d7f8a266d22d517dc98                                 | nova              |
| cba584661261497f9b522c4752120d5f                                 | neutron           |
| 034d6fcd28ef4b61b5e56d1dc79c9927                                 | heat              |
| 6d38774ad4614764932cb338add97403                                 | heat_domain_admin |
| 59f68b88481e4e738f4a4943ff6c6496                                 | masakari          |
| 5d539533ecda4bd197a6ed281c6d268b                                 | abraden           |
| 5d5f353f00434d9195208efad74f8113                                 | adjutant          |
(openstack) [root at chrnc-area51-build-01 config]# os user delete ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2
(openstack) [root at chrnc-area51-build-01 config]# os user show test
No user with a name or ID of 'test' exists.

After deleting the "test" user, and then re-creating it with a Keycloak login, the problem goes away. It seems to only happen with the first Keycloak user on a new cluster.

(openstack) [root at chrnc-area51-build-01 config]# os user show test
| Field               | Value                                                            |
| domain_id           | 4678301ef9a24d54bcd2e87a8fbc6872                                 |
| email               | test at example.com                                                 |
| enabled             | True                                                             |
| id                  | ccb276f4f507fd9f271d629d2ad896d2c97e04f81336cd8c1332f4b2df115ca2 |
| name                | test                                                             |
| options             | {}                                                               |
| password_expires_at | None                                                             |

The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.

More information about the openstack-discuss mailing list