[Openstack] Keystone admin user not really "admin"

Damon Wang damon.devops at gmail.com
Wed Apr 30 00:57:00 UTC 2014


Hi Erich,

I agree to stevemar that you need to grant the admin user the admin role on
the other projects, but admin it will be ok to do "user-list" under admin
tenant.

What if you run "keystone user-role-add --user=admin --tenant=admin
--role=admin"? Is it "exceptions must be old-style classes or derived from
BaseException, not NoneType (HTTP 400)"?

Damon



2014-04-29 4:57 GMT+08:00 Steve Martinelli <stevemar at ca.ibm.com>:

> Hey Erich,
>
> Did you grant the admin user the admin role on the other projects?
> i.e. `$ keystone user-role-add --user admin --role admin --tenant cbse`
>
> You can try adding --debug to keystone tenant-list, and see if the output
> is a bit more helpful.
> `$ keystone --debug tenant-list`
>
> Can you double check that the OS_SERVICE_TOKEN is removed from your
> environment?
> `$ env | grep OS`
>
> Thanks,
> stevemar
>
>
>
> From:        Erich Weiler <weiler at soe.ucsc.edu>
> To:        openstack <openstack at lists.openstack.org>,
> Date:        04/28/2014 04:14 PM
> Subject:        [Openstack] Keystone admin user not really "admin"
> ------------------------------
>
>
>
> Hi Y'all,
>
> I'm having this very odd problem with the keystone "admin" user, under
> Icehouse, for my internal proof-of-concept openstack cluster.
>
> I created an "admin" user and an "admin" tenant, then assigned the roles
> as such (these commands run with the admin OS_SERVICE_TOKEN):
>
> keystone tenant-list
> WARNING: Bypassing authentication using a token & endpoint
> (authentication credentials are being ignored).
> +----------------------------------+---------+---------+
> |                id                |   name  | enabled |
> +----------------------------------+---------+---------+
> | 5927cd6622ed4a7ab11516927f4181e5 |  admin  |   True  |
> | 7c1980078e044cb08250f628cbe73d29 |   cbse  |   True  |
> | 97c559c870b64f24b43e246a523a331d | service |   True  |
> +----------------------------------+---------+---------+
>
> keystone user-get admin
> WARNING: Bypassing authentication using a token & endpoint
> (authentication credentials are being ignored).
> +----------+----------------------------------+
> | Property |              Value               |
> +----------+----------------------------------+
> |  email   |    cluster-admin at soe.ucsc.edu    |
> | enabled  |               True               |
> |    id    | 99b501f662704849852514a853ab55ca |
> |   name   |              admin               |
> | username |              admin               |
> +----------+----------------------------------+
>
> keystone user-role-list --user admin --tenant admin
> WARNING: Bypassing authentication using a token & endpoint
> (authentication credentials are being ignored).
>
> +----------------------------------+----------+----------------------------------+----------------------------------+
> |                id                |   name   |             user_id
>          |            tenant_id             |
>
> +----------------------------------+----------+----------------------------------+----------------------------------+
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
> 99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |
> | eb2badd0ce364882bf0ecedcaf51ec9f |  admin   |
> 99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 |
>
> +----------------------------------+----------+----------------------------------+----------------------------------+
>
> However, when I remove the OS_SERVICE_TOKEN from my ENV variables and
> re-login, just using the following:
>
> export OS_USERNAME=admin
> export OS_PASSWORD=xxxxxx
> export OS_TENANT_NAME=admin
> export OS_AUTH_URL=http://myserver.local:35357/v2.0
>
> I seem to authenticate OK, but I can't seem to do "admin" like things.
> When I was experimenting with Icehouse RC1 this worked just fine, but
> now it doesn't work.  Like, I try this:
>
> # keystone user-list
> The resource could not be found. (HTTP 404)
>
> keystone tenant-list
> +----------------------------------+-------+---------+
> |                id                |  name | enabled |
> +----------------------------------+-------+---------+
> | 5927cd6622ed4a7ab11516927f4181e5 | admin |   True  |
> +----------------------------------+-------+---------+
>
>
> Even though there are more tenants than just that one tenant, as shown
> above.  It almost seems the like "admin" user here is "just another
> user", one without admin rights.
>
> I looked in the keystone logs when trying the last "keystone user-list"
> command and saw this:
>
> 2014-04-28 12:53:56.891 17613 DEBUG keystone.middleware.core [-] Auth
> token not in the request header. Will not build auth context.
> process_request
> /usr/lib/python2.6/site-packages/keystone/middleware/core.py:271
> 2014-04-28 12:53:56.893 17613 DEBUG keystone.common.wsgi [-] arg_dict:
> {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181
> 2014-04-28 12:53:56.899 17613 DEBUG keystone.notifications [-] CADF
> Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
> 'initiator': {'typeURI': 'service/security/account/user', 'host':
> {'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id':
> 'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name':
> u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI':
> 'service/security/account/user', 'id':
> 'openstack:c3e6a002-f10f-4323-9da4-0c5c91f278f3'}, 'observer':
> {'typeURI': 'service/security', 'id':
> 'openstack:3cbbc605-427e-433e-b329-d9e6d4b5c16e'}, 'eventType':
> 'activity', 'eventTime': '2014-04-28T19:53:56.898906+0000', 'action':
> 'authenticate', 'outcome': 'pending', 'id':
> 'openstack:8f9605fe-9498-4d37-9024-d13767af8382'}
> _send_audit_notification
> /usr/lib/python2.6/site-packages/keystone/notifications.py:289
> 2014-04-28 12:53:56.948 17613 DEBUG keystone.notifications [-] CADF
> Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event',
> 'initiator': {'typeURI': 'service/security/account/user', 'host':
> {'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id':
> 'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name':
> u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI':
> 'service/security/account/user', 'id':
> 'openstack:6955d3f0-41da-49c0-9f1b-025d60195a5f'}, 'observer':
> {'typeURI': 'service/security', 'id':
> 'openstack:07ce1f0d-cd8d-495e-9e93-5a60dd0abb33'}, 'eventType':
> 'activity', 'eventTime': '2014-04-28T19:53:56.947942+0000', 'action':
> 'authenticate', 'outcome': 'success', 'id':
> 'openstack:b8335d16-2f9a-42bf-bfb8-071c07d4206d'}
> _send_audit_notification
> /usr/lib/python2.6/site-packages/keystone/notifications.py:289
> 2014-04-28 12:53:57.002 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 -
> - [28/Apr/2014 12:53:57] "POST /v2.0/tokens HTTP/1.1" 200 6397 0.111563
> 2014-04-28 12:53:57.020 17613 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {'project_id': u'5927cd6622ed4a7ab11516927f4181e5',
> 'user_id': u'99b501f662704849852514a853ab55ca', 'roles': [u'_member_',
> u'admin']} process_request
> /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281
> 2014-04-28 12:53:57.023 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 -
> - [28/Apr/2014 12:53:57] "GET /v2.0/users HTTP/1.1" 404 228 0.008255
>
> It explicitly states 'roles': [u'_member_', u'admin'] so I figure it
> dhould work?  Anyone seen anything like this before?  Maybe I made a
> typo somewhere?
>
> My keystone policy.json file is un-tampered with and contains the
> default settings:
>
> {
>     "admin_required": "role:admin or is_admin:1",
>     "service_role": "role:service",
>     "service_or_admin": "rule:admin_required or rule:service_role",
>     "owner" : "user_id:%(user_id)s",
>     "admin_or_owner": "rule:admin_required or rule:owner",
>
>     "default": "rule:admin_required",
>
>     "identity:get_region": "",
>     "identity:list_regions": "",
>     "identity:create_region": "rule:admin_required",
>     "identity:update_region": "rule:admin_required",
>     "identity:delete_region": "rule:admin_required",
>
>     "identity:get_service": "rule:admin_required",
>     "identity:list_services": "rule:admin_required",
>     "identity:create_service": "rule:admin_required",
>     "identity:update_service": "rule:admin_required",
>     "identity:delete_service": "rule:admin_required",
>
>     "identity:get_endpoint": "rule:admin_required",
>     "identity:list_endpoints": "rule:admin_required",
>     "identity:create_endpoint": "rule:admin_required",
>     "identity:update_endpoint": "rule:admin_required",
>     "identity:delete_endpoint": "rule:admin_required",
>
>     "identity:get_domain": "rule:admin_required",
>     "identity:list_domains": "rule:admin_required",
>     "identity:create_domain": "rule:admin_required",
>     "identity:update_domain": "rule:admin_required",
>     "identity:delete_domain": "rule:admin_required",
>
>     "identity:get_project": "rule:admin_required",
>     "identity:list_projects": "rule:admin_required",
>     "identity:list_user_projects": "rule:admin_or_owner",
>     "identity:create_project": "rule:admin_required",
>     "identity:update_project": "rule:admin_required",
>     "identity:delete_project": "rule:admin_required",
>
>     "identity:get_user": "rule:admin_required",
>     "identity:list_users": "rule:admin_required",
>     "identity:create_user": "rule:admin_required",
>     "identity:update_user": "rule:admin_required",
>     "identity:delete_user": "rule:admin_required",
>     "identity:change_password": "rule:admin_or_owner",
>
>     "identity:get_group": "rule:admin_required",
>     "identity:list_groups": "rule:admin_required",
>     "identity:list_groups_for_user": "rule:admin_or_owner",
>     "identity:create_group": "rule:admin_required",
>     "identity:update_group": "rule:admin_required",
>     "identity:delete_group": "rule:admin_required",
>     "identity:list_users_in_group": "rule:admin_required",
>     "identity:remove_user_from_group": "rule:admin_required",
>     "identity:check_user_in_group": "rule:admin_required",
>     "identity:add_user_to_group": "rule:admin_required",
>
>     "identity:get_credential": "rule:admin_required",
>     "identity:list_credentials": "rule:admin_required",
>     "identity:create_credential": "rule:admin_required",
>     "identity:update_credential": "rule:admin_required",
>     "identity:delete_credential": "rule:admin_required",
>
>     "identity:ec2_get_credential": "rule:admin_or_owner",
>     "identity:ec2_list_credentials": "rule:admin_or_owner",
>     "identity:ec2_create_credential": "rule:admin_or_owner",
>     "identity:ec2_delete_credential": "rule:admin_required or
> (rule:owner and user_id:%(target.credential.user_id)s)",
>
>     "identity:get_role": "rule:admin_required",
>     "identity:list_roles": "rule:admin_required",
>     "identity:create_role": "rule:admin_required",
>     "identity:update_role": "rule:admin_required",
>     "identity:delete_role": "rule:admin_required",
>
>     "identity:check_grant": "rule:admin_required",
>     "identity:list_grants": "rule:admin_required",
>     "identity:create_grant": "rule:admin_required",
>     "identity:revoke_grant": "rule:admin_required",
>
>     "identity:list_role_assignments": "rule:admin_required",
>
>     "identity:get_policy": "rule:admin_required",
>     "identity:list_policies": "rule:admin_required",
>     "identity:create_policy": "rule:admin_required",
>     "identity:update_policy": "rule:admin_required",
>     "identity:delete_policy": "rule:admin_required",
>
>     "identity:check_token": "rule:admin_required",
>     "identity:validate_token": "rule:service_or_admin",
>     "identity:validate_token_head": "rule:service_or_admin",
>     "identity:revocation_list": "rule:service_or_admin",
>     "identity:revoke_token": "rule:admin_or_owner",
>
>     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
>     "identity:get_trust": "rule:admin_or_owner",
>     "identity:list_trusts": "",
>     "identity:list_roles_for_trust": "",
>     "identity:check_role_for_trust": "",
>     "identity:get_role_for_trust": "",
>     "identity:delete_trust": "",
>
>     "identity:create_consumer": "rule:admin_required",
>     "identity:get_consumer": "rule:admin_required",
>     "identity:list_consumers": "rule:admin_required",
>     "identity:delete_consumer": "rule:admin_required",
>     "identity:update_consumer": "rule:admin_required",
>
>     "identity:authorize_request_token": "rule:admin_required",
>     "identity:list_access_token_roles": "rule:admin_required",
>     "identity:get_access_token_role": "rule:admin_required",
>     "identity:list_access_tokens": "rule:admin_required",
>     "identity:get_access_token": "rule:admin_required",
>     "identity:delete_access_token": "rule:admin_required",
>
>     "identity:list_projects_for_endpoint": "rule:admin_required",
>     "identity:add_endpoint_to_project": "rule:admin_required",
>     "identity:check_endpoint_in_project": "rule:admin_required",
>     "identity:list_endpoints_for_project": "rule:admin_required",
>     "identity:remove_endpoint_from_project": "rule:admin_required",
>
>     "identity:create_identity_provider": "rule:admin_required",
>     "identity:list_identity_providers": "rule:admin_required",
>     "identity:get_identity_providers": "rule:admin_required",
>     "identity:update_identity_provider": "rule:admin_required",
>     "identity:delete_identity_provider": "rule:admin_required",
>
>     "identity:create_protocol": "rule:admin_required",
>     "identity:update_protocol": "rule:admin_required",
>     "identity:get_protocol": "rule:admin_required",
>     "identity:list_protocols": "rule:admin_required",
>     "identity:delete_protocol": "rule:admin_required",
>
>     "identity:create_mapping": "rule:admin_required",
>     "identity:get_mapping": "rule:admin_required",
>     "identity:list_mappings": "rule:admin_required",
>     "identity:delete_mapping": "rule:admin_required",
>     "identity:update_mapping": "rule:admin_required",
>
>     "identity:list_projects_for_groups": "",
>     "identity:list_domains_for_groups": "",
>
>     "identity:list_revoke_events": ""
> }
>
> Can anyone see my mistake?  Maybe I encountered a bug??
>
> Thanks for any idea!!!
>
> cheers,
> -erich
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140430/70ba9864/attachment.html>


More information about the Openstack mailing list