[Openstack] Keystone admin user not really "admin"
Erich Weiler
weiler at soe.ucsc.edu
Mon Apr 28 20:01:00 UTC 2014
Hi Y'all,
I'm having this very odd problem with the keystone "admin" user, under
Icehouse, for my internal proof-of-concept openstack cluster.
I created an "admin" user and an "admin" tenant, then assigned the roles
as such (these commands run with the admin OS_SERVICE_TOKEN):
keystone tenant-list
WARNING: Bypassing authentication using a token & endpoint
(authentication credentials are being ignored).
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 5927cd6622ed4a7ab11516927f4181e5 | admin | True |
| 7c1980078e044cb08250f628cbe73d29 | cbse | True |
| 97c559c870b64f24b43e246a523a331d | service | True |
+----------------------------------+---------+---------+
keystone user-get admin
WARNING: Bypassing authentication using a token & endpoint
(authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | cluster-admin at soe.ucsc.edu |
| enabled | True |
| id | 99b501f662704849852514a853ab55ca |
| name | admin |
| username | admin |
+----------+----------------------------------+
keystone user-role-list --user admin --tenant admin
WARNING: Bypassing authentication using a token & endpoint
(authentication credentials are being ignored).
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id
| tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |
| eb2badd0ce364882bf0ecedcaf51ec9f | admin |
99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |
+----------------------------------+----------+----------------------------------+----------------------------------+
However, when I remove the OS_SERVICE_TOKEN from my ENV variables and
re-login, just using the following:
export OS_USERNAME=admin
export OS_PASSWORD=xxxxxx
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://myserver.local:35357/v2.0
I seem to authenticate OK, but I can't seem to do "admin" like things.
When I was experimenting with Icehouse RC1 this worked just fine, but
now it doesn't work. Like, I try this:
# keystone user-list
The resource could not be found. (HTTP 404)
keystone tenant-list
+----------------------------------+-------+---------+
| id | name | enabled |
+----------------------------------+-------+---------+
| 5927cd6622ed4a7ab11516927f4181e5 | admin | True |
+----------------------------------+-------+---------+
Even though there are more tenants than just that one tenant, as shown
above. It almost seems the like "admin" user here is "just another
user", one without admin rights.
I looked in the keystone logs when trying the last "keystone user-list"
command and saw this:
2014-04-28 12:53:56.891 17613 DEBUG keystone.middleware.core [-] Auth
token not in the request header. Will not build auth context.
process_request
/usr/lib/python2.6/site-packages/keystone/middleware/core.py:271
2014-04-28 12:53:56.893 17613 DEBUG keystone.common.wsgi [-] arg_dict:
{} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
2014-04-28 12:53:56.899 17613 DEBUG keystone.notifications [-] CADF
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
'initiator': {'typeURI': 'service/security/account/user', 'host':
{'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id':
'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name':
u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI':
'service/security/account/user', 'id':
'openstack:c3e6a002-f10f-4323-9da4-0c5c91f278f3'}, 'observer':
{'typeURI': 'service/security', 'id':
'openstack:3cbbc605-427e-433e-b329-d9e6d4b5c16e'}, 'eventType':
'activity', 'eventTime': '2014-04-28T19:53:56.898906+0000', 'action':
'authenticate', 'outcome': 'pending', 'id':
'openstack:8f9605fe-9498-4d37-9024-d13767af8382'}
_send_audit_notification
/usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-04-28 12:53:56.948 17613 DEBUG keystone.notifications [-] CADF
Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
'initiator': {'typeURI': 'service/security/account/user', 'host':
{'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id':
'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name':
u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI':
'service/security/account/user', 'id':
'openstack:6955d3f0-41da-49c0-9f1b-025d60195a5f'}, 'observer':
{'typeURI': 'service/security', 'id':
'openstack:07ce1f0d-cd8d-495e-9e93-5a60dd0abb33'}, 'eventType':
'activity', 'eventTime': '2014-04-28T19:53:56.947942+0000', 'action':
'authenticate', 'outcome': 'success', 'id':
'openstack:b8335d16-2f9a-42bf-bfb8-071c07d4206d'}
_send_audit_notification
/usr/lib/python2.6/site-packages/keystone/notifications.py:289
2014-04-28 12:53:57.002 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 -
- [28/Apr/2014 12:53:57] "POST /v2.0/tokens HTTP/1.1" 200 6397 0.111563
2014-04-28 12:53:57.020 17613 DEBUG keystone.middleware.core [-] RBAC:
auth_context: {'project_id': u'5927cd6622ed4a7ab11516927f4181e5',
'user_id': u'99b501f662704849852514a853ab55ca', 'roles': [u'_member_',
u'admin']} process_request
/usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
2014-04-28 12:53:57.023 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 -
- [28/Apr/2014 12:53:57] "GET /v2.0/users HTTP/1.1" 404 228 0.008255
It explicitly states 'roles': [u'_member_', u'admin'] so I figure it
dhould work? Anyone seen anything like this before? Maybe I made a
typo somewhere?
My keystone policy.json file is un-tampered with and contains the
default settings:
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_or_owner",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or
(rule:owner and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_required",
"identity:validate_token": "rule:service_or_admin",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": ""
}
Can anyone see my mistake? Maybe I encountered a bug??
Thanks for any idea!!!
cheers,
-erich
More information about the Openstack
mailing list