[EXTERNAL] Re: [kolla][keystone] Another keycloak issue
Mohamed Emine IBRAHIM
medemine.ibrahim at cloudnet.tn
Wed Jan 27 11:43:33 UTC 2021
hello,
Maybe the user password is not mapped to keystone, so when you create a
new user via keycloak you need to set password manually (openstack user
set test2 --password-prompt) and then use the CLI ?
On 27/01/2021 10:09, Mark Goddard wrote:
> On Tue, 26 Jan 2021 at 17:02, Braden, Albert
> <C-Albert.Braden at charter.com> wrote:
>>
>> Another problem I'm encountering with keycloak is that the keycloak users can't login on the command line. I created user test2 via Keycloak and test3 via CLI. They have identical roles on the admin domain:
>>
>> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test2
>> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
>> | Role | User | Group | Project | Domain | System | Inherited |
>> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
>> | 406a5f1cd92d45b5b3d54979235e896c | f4287b6082b8f36048d052eaa3d35facb94e5eff598d59d2aee68252ddb13339 | | 15c32af517334e28a9427809a9fc4805 | | | False |
>> +----------------------------------+------------------------------------------------------------------+-------+----------------------------------+--------+--------+-----------+
>> (openstack) [root at chrnc-area51-build-01 ~]# os role assignment list --user test3
>> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
>> | Role | User | Group | Project | Domain | System | Inherited |
>> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
>> | 406a5f1cd92d45b5b3d54979235e896c | 06a5f28d061f4d42b3bf64df378338fd | | 15c32af517334e28a9427809a9fc4805 | | | False |
>> +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
>>
>> I made identical env-setting "rc" files with only the username changed. Test3 logs in successfully but test2 fails:
>>
>> (openstack) [root at chrnc-area51-build-01 ~]# . ./test2-openrc.sh
>> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
>> The request you have made requires authentication. (HTTP 401) (Request-ID: req-ad7ee855-df98-434a-9afc-89f64a7addd1)
>> (openstack) [root at chrnc-area51-build-01 ~]# . ./test3-openrc.sh
>> (openstack) [root at chrnc-area51-build-01 ~]# openstack server list
>>
>> (openstack) [root at chrnc-area51-build-01 ~]#
>>
>> The only obvious difference is the longer UID for the Keycloak users. Do Keycloak-created users require something different in the env? Do I need to change something in Keycloak, to make the Keycloak users work the same as CLI-created users? Where can I look in the database to find the differences between these two users?
>>
> I'm no expert on federation, but I understand that you need to use a
> slightly different method with the CLI. This page has some info:
> https://docs.openstack.org/python-openstackclient/latest/cli/man/openstack.html
>
--
Very truly yours, أطيب التمنيات
Mohamed Emine IBRAHIM
محمد أمين إبراهيم
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210127/0aed9c3a/attachment-0001.sig>
More information about the openstack-discuss
mailing list