Important information in error log : ) I find you use keystone-hybrid-backend, please according to the error log, check the code, Or change the github lastest code, try again, https://github.com/SUSE-Cloud/keystone-hybrid-backend
-----邮件原件----- 发件人: James [mailto:[email protected]] 发送时间: 2013年10月17日 6:29 收件人: Chenrui (A) 抄送: [email protected] 主题: Re: 答复: 答复: [Openstack] keystone client issues Thanks again for response. Regarding (a), keystone user-list was precisely what I needed. Thanks! Regarding (b), I started poking around some more to see if I could uncover some more information. Here's what I found: (i) First, we'll get a list of tenants and grep for the lab I'm working on: ~ % keystone tenant-list | grep -i test-lab-04 | 018372ce3a80b47e6bead07576c12de3 | test-lab-04 | True | Works great, as expected. (ii) Let's say I want to get a list of users that belong to the test-lab-04 project. I'll use the user-list argument, as you (very helpfully) pointed out. ~ % keystone user-list --tenant test-lab-04 +----------------------------------+--------------+---------+--------------------+ | id | name | enabled | email | +----------------------------------+--------------+---------+--------------------+ | 32aa730f6ff44123bd672604bebcabcd | automate | True | | | 08fda18ab93bedd231ad216d1acabcd | test-user | True | [email protected] | | 23d0a2d141ab44ddabdbc17f0c68abcd | org-training | True | | +----------------------------------+--------------+---------+--------------------+ While this *LOOKS* good, the keystone server spits out in the keystone.log file: 2013-10-16 22:08:44 WARNING [keystone.common.wsgi] Could not find project: test-lab-04 Ermmm...okay? At least it gave me the information I needed. (iii) Let's try to get the role for "test-user" (UUID 08fda18ab93bedd231ad216d1acabcd in the table above). -> CLIENT <- ~ % keystone user-role-list --tenant test-lab-04 --user test-user An unexpected error prevented the server from fulfilling your request. global name 'user_ref' is not defined (HTTP 500) -> SERVER (keystone.log) <- ==> keystone.log <== 2013-10-16 22:15:16 WARNING [keystone.common.wsgi] Could not find project: test-lab-04 2013-10-16 22:15:18 ERROR [root] global name 'user_ref' is not defined Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__ result = method(context, **params) File "/usr/lib/python2.7/dist-packages/keystone/identity/controllers.py", line 167, in get_user ref = self.identity_api.get_user(context, user_id) File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in _wrapper return f(*args, **kw) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid.py", line 100, in get_user user_ref = self._get_user(user_id) File "/usr/lib/python2.7/dist-packages/keystone/identity/backends/hybrid.py", line 97, in _get_user return self.user.get(user_ref['email']) NameError: global name 'user_ref' is not defined ... I tested this same sequence of command from an Ubuntu box (and the keystone client that comes with it) -- no issues. In fact, even when executing (ii) above, where only the tenant was passed in, the command executed without any errors / logs on the keystone server. I'm inclined to believe that the keystone client on OS X is hosed somehow. I installed the client via "pip install python-keystoneclient" -- no issues there. I just upgraded to 0.4.1 and the problem still exists. Has anyone seen this before? Thanks! On Tue, Oct 15, 2013 at 11:45 PM, Chenrui (A) <[email protected]> wrote: > My keystoneclient version is 0.3.2 > > (a) > If you want get all users in a tenant, please try 'keystone user-list > --tenant-id xxxxx' > If you want get all roles of all users in a tenant, you need to get all users > in a tenant first, then use 'keystone user-role-list' to get each user's > roles and get them together > > (b) > I check keystoneclient user-role-list code in github master branch > Keystoneclient will try to use User-name and tenant-name to get user and > tenant, if can't find (404), then get all tenants and users, pick out result > with same name, > I think the problem occurs in the event of 500 responses, can you paste some > keystone error log ? maybe change other user-name try again > > # now try the entity as a string > try: > return manager.get(name_or_id) > except (exceptions.NotFound): > pass > > # finally try to find entity by name > try: > if isinstance(name_or_id, str): > name_or_id = name_or_id.decode('utf-8', 'strict') > return manager.find(name=name_or_id) > > > -----邮件原件----- > 发件人: James [mailto:[email protected]] > 发送时间: 2013年10月16日 1:29 > 收件人: Chenrui (A) > 抄送: [email protected] > 主题: Re: 答复: [Openstack] keystone client issues > > Thanks for the reply. Answers in-line. > > On Mon, Oct 14, 2013 at 10:53 PM, Chenrui (A) <[email protected]> > wrote: >> What is the version of your keystone? >> My version is 2013.2~rc1-0ubuntu1~cloud0 > > > v0.4.0 on this end. > > >> I run same case on my host, (a) were encountered, but (b) not >> I try to run command with --debug, find user-role-list will use the >> authenticated user id as a default user-id, >> Please check whether your authenticated user had roles in the tenant >> So I think (a) is default behavior, is not a bug :) >> >> (a) >> root@ubuntu-02:~# keystone user-role-list --tenant-id >> d5e7a29a420949d3a7ef1c0513c5477a >> >> root@ubuntu-02:~# keystone user-role-list --tenant-id >> d5e7a29a420949d3a7ef1c0513c5477a --user-id 63e367c0374e48a59e0e69f763590a35 >> +----------------------------------+----------+----------------------------------+----------------------------------+ >> | id | name | user_id >> | tenant_id | >> +----------------------------------+----------+----------------------------------+----------------------------------+ >> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | >> 63e367c0374e48a59e0e69f763590a35 | d5e7a29a420949d3a7ef1c0513c5477a | >> +----------------------------------+----------+----------------------------------+----------------------------------+ > > > I was going on the assumption that without the --user-id, keystone > would return a list of all users in the project. If this is proper > behavior, then what is the best way to get a list of all users in a > tenant / project? > > >> (b) >> root@ubuntu-02:~# keystone user-role-list --tenant service --user cinder >> +----------------------------------+--------+----------------------------------+----------------------------------+ >> | id | name | user_id >> | tenant_id | >> +----------------------------------+--------+----------------------------------+----------------------------------+ >> | c4327e8913ca41b59f61bd5f58d8e420 | Member | >> 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a | >> | 6d740d49f4424501a83439dcbd03e027 | admin | >> 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a | >> +----------------------------------+--------+----------------------------------+----------------------------------+ > > > This one is also interesting -- I know it *should* work (I've seen > some of my colleagues do this on their systems), but it doesn't work > here. Here's what the debug output shows (truncated for brevity and > security): > > > -->8-- > > ~ % keystone --debug user-role-list --tenant train-lab-04 --user > <some_username> > REQ: curl -i -X POST http://10.96.201.187:35357/v2.0/tokens -H > "Content-Type: application/json" -H "User-Agent: > python-keystoneclient" > REQ BODY: {"auth": {"tenantName": "<blah>", "passwordCredentials": > {"username": "admin", "password": "SOMEPASSWORD"}}} > > RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07 > GMT', 'vary': 'X-Auth-Token', 'content-length': '2416', > 'content-type': 'application/json'}) > RESP BODY: {"access": {"token": {"issued_at": > "2013-10-15T17:08:06.805770", "expires": "2013-10-16T17:08:06Z", "id": > "fb76306e38a64c55b9ce46ae2029abcd", "tenant": {"description": "Default > Tenant - Admin", "enabled": true, "id": > "fc9ba4c1d32d48679b5c3e9b2c00abcd", "name": "<blah>"}}, > "serviceCatalog": [{"endpoints": [{"adminURL": > "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd";, > "region": "PA", "internalURL": > "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd";, "id": > "280c800402da47d393e4e0890a5abcde", "publicURL": > "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd"}], > "endpoints_links": [], "type": "compute", "name": "nova"}, > {"endpoints": [{"adminURL": "http://10.96.201.188:9696";, "region": > "PA", "internalURL": "http://10.96.201.188:9696";, "id": > "fc9ba4c1d32d48679b5c3e9b2c00abcd", "publicURL": > "http://10.96.201.188:9696"}], "endpoints_links": [], "type": > "network", "name": "quantum"}, {"endpoints": [{"adminURL": > "http://10.96.201.185:9292";, "region": "PA", "internalURL": > "http://10.96.201.185:9292";, "id": "be1d2f2449ac448299c1258913babcde", > "publicURL": "http://10.96.201.185:9292"}], "endpoints_links": [], > "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": > "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd";, > "region": "PA", "internalURL": > "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd";, "id": > "9ae35a87f24040038851ce9c9eabcde", "publicURL": > "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2cabcde"}], > "endpoints_links": [], "type": "volume", "name": "cinder"}, > {"endpoints": [{"adminURL": "http://10.96.201.185:8773/service/Cloud";, > "region": "PA", "internalURL": > "http://10.96.201.185:8773/service/Cloud";, "id": > "0ae37a0217d6445e8adbb5ce08abcde", "publicURL": > "http://10.96.201.185:8773/service/Cloud"}], "endpoints_links": [], > "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL": > "http://10.96.201.187:35357/v2.0";, "region": "PA", "internalURL": > "http://10.96.201.187:5000/v2.0";, "id": > "37b3aa6fade24ced8d6dae8fdaabcdef", "publicURL": > "http://10.96.201.187:5000/v2.0"}], "endpoints_links": [], "type": > "identity", "name": "keystone"}], "user": {"username": "admin", > "roles_links": [], "id": "5e363b8f0665443d89ca9d9787aabcde", "roles": > [{"name": "admin"}, {"name": "_member_"}], "name": "admin"}, > "metadata": {"is_admin": 0, "roles": > ["b04ac30a90f64c3692d54c73e92abcd", > "9fe2ff9ee4384b1894a90878d3e9abcd"]}}} > > REQ: curl -i -X GET > http://10.96.201.187:35357/v2.0/tenants/train-lab-04 -H "User-Agent: > python-keystoneclient" -H "X-Auth-Token: > fb76306e38a64c55b9ce46ae2029abcd" > RESP: [404] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07 > GMT', 'vary': 'X-Auth-Token', 'content-length': '97', 'content-type': > 'application/json'}) > RESP BODY: {"error": {"message": "Could not find project: > train-lab-04", "code": 404, "title": "Not Found"}} > > Request returned failure status: 404 > REQ: curl -i -X GET http://10.96.201.187:35357/v2.0/tenants -H > "User-Agent: python-keystoneclient" -H "X-Auth-Token: > fb76306e38a64c55b9ce46ae2029abcd" > RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:08 > GMT', 'vary': 'X-Auth-Token', 'content-length': '65744', > 'content-type': 'application/json'}) > RESP BODY: {"tenants_links": [], "tenants": [<blah blah > blah>{"description": "Training Lab", "enabled": true, "id": > "19371ce3a80b47e6bc31d7576c912de3", "name": "train-lab-04"}, <blah > blah blah>]} <-- note that train-lab-04 is listed here! > > REQ: curl -i -X GET > http://10.96.201.187:35357/v2.0/users/<some_username> -H "User-Agent: > python-keystoneclient" -H "X-Auth-Token: > fb76306e38a64c55b9ce46ae2029abcd" > RESP: [500] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:09 > GMT', 'vary': 'X-Auth-Token', 'content-length': '181', 'content-type': > 'application/json'}) > RESP BODY: {"error": {"message": "An unexpected error prevented the > server from fulfilling your request. global name 'user_ref' is not > defined", "code": 500, "title": "Internal Server Error"}} > > Request returned failure status: 500 > An unexpected error prevented the server from fulfilling your request. > global name 'user_ref' is not defined (HTTP 500) > > --8<-- > > > Here you can see that I'm logging in as admin (so I *should* be able > to see all tenants and users, no?), and that the server returns a 404. > In the tenant_links response, however you can clearly see > train-lab-04. As I mentioned in my first post, however, if i search > using the UUID of the tenant and the user, however, things work > without any hiccups. Any ideas why? > > Thanks! > > >> -----邮件原件----- >> 发件人: James [mailto:[email protected]] >> 发送时间: 2013年10月15日 4:43 >> 收件人: [email protected] >> 主题: [Openstack] keystone client issues >> >> All, >> >> Hoping someone can point me in the right direction with two questions I have. >> >> >> (a) Getting Roles from Tenant >> I'm trying to get list of *all users* that are part of a project, as follows: >> >> % keystone tenant-list | grep -i test-lab >> | 19371ce3a80b47e6bc31d7576c912de3 | train-lab-04 >> | True | >> >> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912ce3 >> <-- empty response >> >> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912de3 >> --user-id 08fda199e7e34348ab2d216d1ac18f9a >> +----------------------------------+--------+----------------------------------+----------------------------------+ >> | id | name | user_id >> | tenant_id | >> +----------------------------------+--------+----------------------------------+----------------------------------+ >> | bff399d92fa74d2e81ffdebb9cd4cc11 | member | >> 08fda199e7e34348ab2d216d1ac18f9a | 19371ce3a80b47e6bc31d7576c912ce3 | >> +----------------------------------+--------+----------------------------------+----------------------------------+ >> >> Is this a bug, or is there a way to get a list of all users that are >> members of a tenant? Seems like the user-role-list command should >> execute without a user-id being passed in. >> >> >> (b) Using Non-UUID Values >> I've seen some folks use usernames instead of UUIDs like this: >> >> keystone user-role-list --tenant <blah> --user <blah2> >> >> When I attempt do to this, I get the following error: >> >> An unexpected error prevented the server from fulfilling your request. >> global name 'user_ref' is not defined (HTTP 500) >> >> Is there something that prevents me from using usernames and plain >> tenant names instead of UUIDs, or is this a bug with the client? >> >> >> Thanks! >> >> _______________________________________________ >> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> Post to : [email protected] >> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
