[EXTERNAL] Re: [kolla][keystone] Another keycloak issue

Braden, Albert C-Albert.Braden at charter.com
Tue Jan 26 17:02:05 UTC 2021


Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:

(openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test2
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                                                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
| 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
+----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
(openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test3
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd |       | 15c32af517334e28a9427809a9fc4805 |        |        | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+

I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:

(openstack) [root at chrnc-area51-build-01 ~]# . ./test2-openrc.sh
(openstack) [root at chrnc-area51-build-01 ~]# openstack server list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1)
(openstack) [root at chrnc-area51-build-01 ~]# . ./test3-openrc.sh
(openstack) [root at chrnc-area51-build-01 ~]# openstack server list

(openstack) [root at chrnc-area51-build-01 ~]#

The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?

RC files:

(openstack) [root at chrnc-area51-build-01 ~]# cat test2-openrc.sh
# Clear any old environment that may conflict.
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=test2
export OS_TENANT_NAME=test2
export OS_USERNAME=test2
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://192.168.0.10:35357/v3
export OS_INTERFACE=internal
export OS_ENDPOINT_TYPE=internalURL
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=chrnc-area51-01
export OS_AUTH_PLUGIN=password
export OS_CACERT=/etc/kolla/certificates/openstack.area51.dev.chtrse.com.pem
(openstack) [root at chrnc-area51-build-01 ~]# cat test3-openrc.sh
# Clear any old environment that may conflict.
for key in $( set | awk '{FS="="}  /^OS_/ {print $1}' ); do unset $key ; done
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=test
export OS_TENANT_NAME=test
export OS_USERNAME=test3
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://192.168.0.10:35357/v3
export OS_INTERFACE=internal
export OS_ENDPOINT_TYPE=internalURL
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=chrnc-area51-01
export OS_AUTH_PLUGIN=password
export OS_CACERT=/etc/kolla/certificates/openstack.area51.dev.chtrse.com.pem
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.


More information about the openstack-discuss mailing list