[Openstack] 答复: 答复: keystone client issues

James jameszee13 at gmail.com
Wed Oct 16 22:29:01 UTC 2013


Thanks again for response.

Regarding (a), keystone user-list was precisely what I needed. Thanks!

Regarding (b), I started poking around some more to see if I could
uncover some more information. Here's what I found:

(i) First, we'll get a list of tenants and grep for the lab I'm working on:

~ % keystone tenant-list | grep -i test-lab-04
| 018372ce3a80b47e6bead07576c12de3 |             test-lab-04
 |   True  |

Works great, as expected.


(ii) Let's say I want to get a list of users that belong to the
test-lab-04 project. I'll use the user-list argument, as you (very
helpfully) pointed out.

~ % keystone user-list --tenant test-lab-04
+----------------------------------+--------------+---------+--------------------+
|                id                |     name     | enabled |
email        |
+----------------------------------+--------------+---------+--------------------+
| 32aa730f6ff44123bd672604bebcabcd |   automate   |   True  |
          |
| 08fda18ab93bedd231ad216d1acabcd  |   test-user  |   True  |
email at somewhere.me |
| 23d0a2d141ab44ddabdbc17f0c68abcd | org-training |   True  |
          |
+----------------------------------+--------------+---------+--------------------+

While this *LOOKS* good, the keystone server spits out in the keystone.log file:

2013-10-16 22:08:44  WARNING [keystone.common.wsgi] Could not find
project: test-lab-04

Ermmm...okay? At least it gave me the information I needed.


(iii) Let's try to get the role for "test-user" (UUID
08fda18ab93bedd231ad216d1acabcd in the table above).

-> CLIENT <-
~ % keystone user-role-list --tenant test-lab-04 --user test-user
An unexpected error prevented the server from fulfilling your request.
global name 'user_ref' is not defined (HTTP 500)


-> SERVER (keystone.log) <-
==> keystone.log <==
2013-10-16 22:15:16  WARNING [keystone.common.wsgi] Could not find
project: test-lab-04
2013-10-16 22:15:18    ERROR [root] global name 'user_ref' is not defined
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py",
line 236, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py",
line 167, in get_user
    ref = self.identity_api.get_user(context, user_id)
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py",
line 47, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid.py",
line 100, in get_user
    user_ref = self._get_user(user_id)
  File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid.py",
line 97, in _get_user
    return self.user.get(user_ref['email'])
NameError: global name 'user_ref' is not defined

...

I tested this same sequence of command from an Ubuntu box (and the
keystone client that comes with it) -- no issues. In fact, even when
executing (ii) above, where only the tenant was passed in, the command
executed without any errors / logs on the keystone server.

I'm inclined to believe that the keystone client on OS X is hosed
somehow. I installed the client via "pip install
python-keystoneclient" -- no issues there. I just upgraded to 0.4.1
and the problem still exists.

Has anyone seen this before?

Thanks!


On Tue, Oct 15, 2013 at 11:45 PM, Chenrui (A) <kiwik.chenrui at huawei.com> wrote:
> My keystoneclient version is 0.3.2
>
> (a)
> If you want get all users in a tenant, please try 'keystone user-list --tenant-id xxxxx'
> If you want get all roles of all users in a tenant, you need to get all users in a tenant first, then use 'keystone user-role-list' to get each user's roles and get them together
>
> (b)
> I check keystoneclient user-role-list code in github master branch
> Keystoneclient will try to use User-name and tenant-name to get user and tenant, if can't find (404), then get all tenants and users, pick out result with same name,
> I think the problem occurs in the event of 500 responses, can you paste some keystone error log ? maybe change other user-name try again
>
>         # now try the entity as a string
>     try:
>         return manager.get(name_or_id)
>     except (exceptions.NotFound):
>         pass
>
>     # finally try to find entity by name
>     try:
>         if isinstance(name_or_id, str):
>             name_or_id = name_or_id.decode('utf-8', 'strict')
>         return manager.find(name=name_or_id)
>
>
> -----邮件原件-----
> 发件人: James [mailto:jameszee13 at gmail.com]
> 发送时间: 2013年10月16日 1:29
> 收件人: Chenrui (A)
> 抄送: openstack at lists.openstack.org
> 主题: Re: 答复: [Openstack] keystone client issues
>
> Thanks for the reply. Answers in-line.
>
> On Mon, Oct 14, 2013 at 10:53 PM, Chenrui (A) <kiwik.chenrui at huawei.com> wrote:
>> What is the version of your keystone?
>> My version is 2013.2~rc1-0ubuntu1~cloud0
>
>
> v0.4.0 on this end.
>
>
>> I run same case on my host, (a) were encountered, but (b) not
>> I try to run command with --debug, find user-role-list will use the authenticated user id as a default user-id,
>> Please check whether your authenticated user had roles in the tenant
>> So I think (a) is default behavior, is not a bug :)
>>
>> (a)
>> root at ubuntu-02:~# keystone user-role-list --tenant-id d5e7a29a420949d3a7ef1c0513c5477a
>>
>> root at ubuntu-02:~# keystone user-role-list --tenant-id d5e7a29a420949d3a7ef1c0513c5477a --user-id 63e367c0374e48a59e0e69f763590a35
>> +----------------------------------+----------+----------------------------------+----------------------------------+
>> |                id                |   name   |             user_id              |            tenant_id             |
>> +----------------------------------+----------+----------------------------------+----------------------------------+
>> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 63e367c0374e48a59e0e69f763590a35 | d5e7a29a420949d3a7ef1c0513c5477a |
>> +----------------------------------+----------+----------------------------------+----------------------------------+
>
>
> I was going on the assumption that without the --user-id, keystone
> would return a list of all users in the project. If this is proper
> behavior, then what is the best way to get a list of all users in a
> tenant / project?
>
>
>> (b)
>> root at ubuntu-02:~# keystone user-role-list --tenant service --user cinder
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>> |                id                |  name  |             user_id              |            tenant_id             |
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>> | c4327e8913ca41b59f61bd5f58d8e420 | Member | 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a |
>> | 6d740d49f4424501a83439dcbd03e027 | admin  | 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a |
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>
>
> This one is also interesting -- I know it *should* work (I've seen
> some of my colleagues do this on their systems), but it doesn't work
> here. Here's what the debug output shows (truncated for brevity and
> security):
>
>
> -->8--
>
> ~ % keystone --debug user-role-list --tenant train-lab-04 --user <some_username>
> REQ: curl -i -X POST http://10.96.201.187:35357/v2.0/tokens -H
> "Content-Type: application/json" -H "User-Agent:
> python-keystoneclient"
> REQ BODY: {"auth": {"tenantName": "<blah>", "passwordCredentials":
> {"username": "admin", "password": "SOMEPASSWORD"}}}
>
> RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07
> GMT', 'vary': 'X-Auth-Token', 'content-length': '2416',
> 'content-type': 'application/json'})
> RESP BODY: {"access": {"token": {"issued_at":
> "2013-10-15T17:08:06.805770", "expires": "2013-10-16T17:08:06Z", "id":
> "fb76306e38a64c55b9ce46ae2029abcd", "tenant": {"description": "Default
> Tenant - Admin", "enabled": true, "id":
> "fc9ba4c1d32d48679b5c3e9b2c00abcd", "name": "<blah>"}},
> "serviceCatalog": [{"endpoints": [{"adminURL":
> "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd",
> "region": "PA", "internalURL":
> "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd", "id":
> "280c800402da47d393e4e0890a5abcde", "publicURL":
> "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd"}],
> "endpoints_links": [], "type": "compute", "name": "nova"},
> {"endpoints": [{"adminURL": "http://10.96.201.188:9696", "region":
> "PA", "internalURL": "http://10.96.201.188:9696", "id":
> "fc9ba4c1d32d48679b5c3e9b2c00abcd", "publicURL":
> "http://10.96.201.188:9696"}], "endpoints_links": [], "type":
> "network", "name": "quantum"}, {"endpoints": [{"adminURL":
> "http://10.96.201.185:9292", "region": "PA", "internalURL":
> "http://10.96.201.185:9292", "id": "be1d2f2449ac448299c1258913babcde",
> "publicURL": "http://10.96.201.185:9292"}], "endpoints_links": [],
> "type": "image", "name": "glance"}, {"endpoints": [{"adminURL":
> "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd",
> "region": "PA", "internalURL":
> "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd", "id":
> "9ae35a87f24040038851ce9c9eabcde", "publicURL":
> "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2cabcde"}],
> "endpoints_links": [], "type": "volume", "name": "cinder"},
> {"endpoints": [{"adminURL": "http://10.96.201.185:8773/service/Cloud",
> "region": "PA", "internalURL":
> "http://10.96.201.185:8773/service/Cloud", "id":
> "0ae37a0217d6445e8adbb5ce08abcde", "publicURL":
> "http://10.96.201.185:8773/service/Cloud"}], "endpoints_links": [],
> "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL":
> "http://10.96.201.187:35357/v2.0", "region": "PA", "internalURL":
> "http://10.96.201.187:5000/v2.0", "id":
> "37b3aa6fade24ced8d6dae8fdaabcdef", "publicURL":
> "http://10.96.201.187:5000/v2.0"}], "endpoints_links": [], "type":
> "identity", "name": "keystone"}], "user": {"username": "admin",
> "roles_links": [], "id": "5e363b8f0665443d89ca9d9787aabcde", "roles":
> [{"name": "admin"}, {"name": "_member_"}], "name": "admin"},
> "metadata": {"is_admin": 0, "roles":
> ["b04ac30a90f64c3692d54c73e92abcd",
> "9fe2ff9ee4384b1894a90878d3e9abcd"]}}}
>
> REQ: curl -i -X GET
> http://10.96.201.187:35357/v2.0/tenants/train-lab-04 -H "User-Agent:
> python-keystoneclient" -H "X-Auth-Token:
> fb76306e38a64c55b9ce46ae2029abcd"
> RESP: [404] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07
> GMT', 'vary': 'X-Auth-Token', 'content-length': '97', 'content-type':
> 'application/json'})
> RESP BODY: {"error": {"message": "Could not find project:
> train-lab-04", "code": 404, "title": "Not Found"}}
>
> Request returned failure status: 404
> REQ: curl -i -X GET http://10.96.201.187:35357/v2.0/tenants -H
> "User-Agent: python-keystoneclient" -H "X-Auth-Token:
> fb76306e38a64c55b9ce46ae2029abcd"
> RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:08
> GMT', 'vary': 'X-Auth-Token', 'content-length': '65744',
> 'content-type': 'application/json'})
> RESP BODY: {"tenants_links": [], "tenants": [<blah blah
> blah>{"description": "Training Lab", "enabled": true, "id":
> "19371ce3a80b47e6bc31d7576c912de3", "name": "train-lab-04"}, <blah
> blah blah>]} <-- note that train-lab-04 is listed here!
>
> REQ: curl -i -X GET
> http://10.96.201.187:35357/v2.0/users/<some_username> -H "User-Agent:
> python-keystoneclient" -H "X-Auth-Token:
> fb76306e38a64c55b9ce46ae2029abcd"
> RESP: [500] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:09
> GMT', 'vary': 'X-Auth-Token', 'content-length': '181', 'content-type':
> 'application/json'})
> RESP BODY: {"error": {"message": "An unexpected error prevented the
> server from fulfilling your request. global name 'user_ref' is not
> defined", "code": 500, "title": "Internal Server Error"}}
>
> Request returned failure status: 500
> An unexpected error prevented the server from fulfilling your request.
> global name 'user_ref' is not defined (HTTP 500)
>
> --8<--
>
>
> Here you can see that I'm logging in as admin (so I *should* be able
> to see all tenants and users, no?), and that the server returns a 404.
> In the tenant_links response, however you can clearly see
> train-lab-04. As I mentioned in my first post, however, if i search
> using the UUID of the tenant and the user, however, things work
> without any hiccups. Any ideas why?
>
> Thanks!
>
>
>> -----邮件原件-----
>> 发件人: James [mailto:jameszee13 at gmail.com]
>> 发送时间: 2013年10月15日 4:43
>> 收件人: openstack at lists.openstack.org
>> 主题: [Openstack] keystone client issues
>>
>> All,
>>
>> Hoping someone can point me in the right direction with two questions I have.
>>
>>
>> (a) Getting Roles from Tenant
>> I'm trying to get list of *all users* that are part of a project, as follows:
>>
>> % keystone tenant-list | grep -i test-lab
>> | 19371ce3a80b47e6bc31d7576c912de3 |             train-lab-04
>>   |   True  |
>>
>> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912ce3
>> <-- empty response
>>
>> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912de3
>> --user-id 08fda199e7e34348ab2d216d1ac18f9a
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>> |                id                |  name  |             user_id
>>         |            tenant_id             |
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>> | bff399d92fa74d2e81ffdebb9cd4cc11 | member |
>> 08fda199e7e34348ab2d216d1ac18f9a | 19371ce3a80b47e6bc31d7576c912ce3 |
>> +----------------------------------+--------+----------------------------------+----------------------------------+
>>
>> Is this a bug, or is there a way to get a list of all users that are
>> members of a tenant? Seems like the user-role-list command should
>> execute without a user-id being passed in.
>>
>>
>> (b) Using Non-UUID Values
>> I've seen some folks use usernames instead of UUIDs like this:
>>
>> keystone user-role-list --tenant <blah> --user <blah2>
>>
>> When I attempt do to this, I get the following error:
>>
>> An unexpected error prevented the server from fulfilling your request.
>> global name 'user_ref' is not defined (HTTP 500)
>>
>> Is there something that prevents me from using usernames and plain
>> tenant names instead of UUIDs, or is this a bug with the client?
>>
>>
>> Thanks!
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




More information about the Openstack mailing list