[Openstack-operators] [newton] [keystone] [nova] [novaclient] [shibboleth] [v3token] [ecp] nova boot fails for federated users
Evan Bollig PhD
boll0107 at umn.edu
Mon May 1 17:47:25 UTC 2017
Trying to figure out if this is a bug in ECP support within
novaclient, or if I am misconfiguring something. Any feedback helps!
We have keystone configured to use a separate Shibboleth server for
auth (with an ECP endpoint). Federated users with the _member_ role on
a project can boot VMs using "openstack server create", but attempts
to use "nova boot" (novaclient) are blocked by this error:
$ nova list
ERROR (AttributeError): 'Namespace' object has no attribute 'os_user_id'
To auth, we have users generate a token with unscoped saml:
export OS_AUTH_TYPE=v3unscopedsaml
unset OS_AUTH_STRATEGY
export OS_IDENTITY_PROVIDER=testshib
export OS_PROTOCOL=saml2
export OS_IDENTITY_PROVIDER_URL=https://shibboleth-server/ECP
unset OS_TOKEN
export OS_TOKEN=$( openstack token issue -c id -f value --debug )
unset OS_PASSWORD
if [ -z $OS_TOKEN ]; then
echo -e "\nERROR: Bad authentication"
unset OS_TOKEN
else
echo -e "\nAuthenticated."
fi
unset OS_USER_DOMAIN_NAME
export OS_AUTH_TYPE=v3token
Cheers,
-E
--
Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556
More information about the OpenStack-operators
mailing list