OK, is this a 'role' grant issue?

/ross

On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote:

I've successfully installed all OpenStack components with Keystone 
authorization (well, mostly at least), but am now seeing an interesting problem 
for new accounts (created in Dashboard).

Using my admin account, I issue a swift stat command and get the expected 
response back from swift-proxy:

root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin 
-K admin stat
StorageURL: http://173.23.181.2:8080/v1/AUTH_1
Auth Token: 10111213141516171819
   Account: AUTH_1
Containers: 5
   Objects: 20
     Bytes: 6335748
Accept-Ranges: bytes
X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37

Looking at the keystone admin.log file (with debugging enabled) I see the 
following:

2012-02-22 14:26:38    DEBUG [routes.middleware] Matched POST /tokens
2012-02-22 14:26:38    DEBUG [routes.middleware] Route path: '/tokens', 
defaults: {'action': u'authenticate', 'controller': 
<keystone.controllers.auth.AuthController object at 0x170da10>}
2012-02-22 14:26:38    DEBUG [routes.middleware] Match dict: {'action': 
u'authenticate', 'controller': <keystone.controllers.auth.AuthController object 
at 0x170da10>}
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT 
tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS 
tenants_desc, tenants.enabled AS tenants_enabled
FROM tenants
WHERE tenants.name = %s
 LIMIT 0, 1
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] 
(u'admin',)
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col 
('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled')
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 
'admin', 'All administrative tasks are to be grouped underneath this tenancy.  
Users are not to be associated with this tenant unless they have been granted 
admin roles.', 1L)
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT 
users.id AS users_id, users.name AS users_name, users.password AS 
users_password, users.email AS users_email, users.enabled AS users_enabled, 
users.tenant_id AS users_tenant_id
FROM users
WHERE users.name = %s
 LIMIT 0, 1
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] 
(u'admin',)
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col 
('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 
'users_tenant_id')
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 
'admin', 
'$6$rounds=40000$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.',
 None, 1L, 1L)
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT 
users.id AS users_id, users.name AS users_name, users.password AS 
users_password, users.email AS users_email, users.enabled AS users_enabled, 
users.tenant_id AS users_tenant_id
FROM users
WHERE users.tenant_id = %s AND users.id = %s
 LIMIT 0, 1
2012-02-22 14:26:38     INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L)
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col 
('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled', 
'users_tenant_id')
2012-02-22 14:26:38    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L, 
'admin', 
'$6$rounds=40000$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.',
 None, 1L, 1L)
2012-02-22 14:26:38 . . .

However, when I issue the same command with a newly created user account I get 
a 401 not authorized command back from swift-proxy.  For example:

root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U 
lillie -K changeme stat
Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized

and the keystone admin.log file shows the following:

2012-02-22 14:30:40    DEBUG [routes.middleware] Matched POST /tokens
2012-02-22 14:30:40    DEBUG [routes.middleware] Route path: '/tokens', 
defaults: {'action': u'authenticate', 'controller': 
<keystone.controllers.auth.AuthController object at 0x170da10>}
2012-02-22 14:30:40    DEBUG [routes.middleware] Match dict: {'action': 
u'authenticate', 'controller': <keystone.controllers.auth.AuthController object 
at 0x170da10>}
2012-02-22 14:30:40     INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT 
tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS 
tenants_desc, tenants.enabled AS tenants_enabled
FROM tenants
WHERE tenants.name = %s
 LIMIT 0, 1
2012-02-22 14:30:40     INFO [sqlalchemy.engine.base.Engine.0x...14d0] 
(u'lillie',)
2012-02-22 14:30:40    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col 
('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled')
2012-02-22 14:30:40    DEBUG [eventlet.wsgi.server] 173.23.181.2 - - 
[22/Feb/2012 14:30:40] "POST /v2.0/tokens HTTP/1.1" 401 197 0.004990
2012-02-22 14:30:41    DEBUG [routes.middleware] Matched POST /tokens
2012-02-22 14:30:41    DEBUG [routes.middleware] Route path: '/tokens', 
defaults: {'action': u'authenticate', 'controller': 
<keystone.controllers.auth.AuthController object at 0x170da10>}
2012-02-22 14:30:41    DEBUG [routes.middleware] Match dict: {'action': 
u'authenticate', 'controller': <keystone.controllers.auth.AuthController object 
at 0x170da10>}
2012-02-22 14:30:41     INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT 
tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS 
tenants_desc, tenants.enabled AS tenants_enabled
FROM tenants
WHERE tenants.name = %s
 LIMIT 0, 1
2012-02-22 14:30:41     INFO [sqlalchemy.engine.base.Engine.0x...14d0] 
(u'lillie',)
2012-02-22 14:30:41    DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col 
('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled')
2012-02-22 14:30:41    DEBUG [eventlet.wsgi.server] 173.23.181.2 - - 
[22/Feb/2012 14:30:41] "POST /v2.0/tokens HTTP/1.1" 401 197 0.003403

As seen above, after trying to retrieve the list of tenants for the user, I 
immediately get a 401 error.

The user account is a member of multiple tenants, as is the admin account.  The 
default tenancy for the user (lillie) account is a project within our group.  
The default tenancy for the admin account is the admin account.

Now the interesting part.  I'd previously created an account for the Glance 
image service.  This account authenticates against keystone without problems.  
The default tenancy for this account is the corresponding 'glance' tenant.

Any clues? Thanks and regards,
Ross


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to