[Openstack] Odd Keystone Behaviour

Daniel Ellison daniel at syrinx.net
Thu Feb 6 16:31:18 UTC 2014


On Feb 6, 2014, at 11:09 AM, Craig Jellick <cjellick at godaddy.com> wrote:
> If you're using the default policy.json file, this seems to be the
> expected behavior.
> The "list_user_projects" method has an access rule of "admin_or_owner".
> All the other calls you mentioned have a rule of "admin_required".
> 
> So, I'd say that most likely the user you are using does not have the role
> "admin".

With existing user admin, tenant admin and role admin I did:

    keystone user-role-add --user admin --tenant admin --role admin

That gave me:

    Conflict occurred attempting to store role grant. User 924e2b3616ce40e8a106bef08d82797d already has role e1d521ddd91a412dab3a33d5a9dbd078 in tenant fafeaebb000b4232b31b7be9030d25f7 (HTTP 409)

I checked the IDs and they all match the corresponding names. So it seems user admin has role admin in tenant admin.

Also, these are the variables which are set on login:

    export OS_USERNAME=admin
    export OS_TENANT_NAME=admin
    export OS_PASSWORD=<password>
    export OS_AUTH_URL=http://<my-ip>:5000/v2.0/

+Dan



More information about the Openstack mailing list