Hi Erich, I agree to stevemar that you need to grant the admin user the admin role on the other projects, but admin it will be ok to do "user-list" under admin tenant.
What if you run "keystone user-role-add --user=admin --tenant=admin --role=admin"? Is it "exceptions must be old-style classes or derived from BaseException, not NoneType (HTTP 400)"? Damon 2014-04-29 4:57 GMT+08:00 Steve Martinelli <[email protected]>: > Hey Erich, > > Did you grant the admin user the admin role on the other projects? > i.e. `$ keystone user-role-add --user admin --role admin --tenant cbse` > > You can try adding --debug to keystone tenant-list, and see if the output > is a bit more helpful. > `$ keystone --debug tenant-list` > > Can you double check that the OS_SERVICE_TOKEN is removed from your > environment? > `$ env | grep OS` > > Thanks, > stevemar > > > > From: Erich Weiler <[email protected]> > To: openstack <[email protected]>, > Date: 04/28/2014 04:14 PM > Subject: [Openstack] Keystone admin user not really "admin" > ------------------------------ > > > > Hi Y'all, > > I'm having this very odd problem with the keystone "admin" user, under > Icehouse, for my internal proof-of-concept openstack cluster. > > I created an "admin" user and an "admin" tenant, then assigned the roles > as such (these commands run with the admin OS_SERVICE_TOKEN): > > keystone tenant-list > WARNING: Bypassing authentication using a token & endpoint > (authentication credentials are being ignored). > +----------------------------------+---------+---------+ > | id | name | enabled | > +----------------------------------+---------+---------+ > | 5927cd6622ed4a7ab11516927f4181e5 | admin | True | > | 7c1980078e044cb08250f628cbe73d29 | cbse | True | > | 97c559c870b64f24b43e246a523a331d | service | True | > +----------------------------------+---------+---------+ > > keystone user-get admin > WARNING: Bypassing authentication using a token & endpoint > (authentication credentials are being ignored). > +----------+----------------------------------+ > | Property | Value | > +----------+----------------------------------+ > | email | [email protected] | > | enabled | True | > | id | 99b501f662704849852514a853ab55ca | > | name | admin | > | username | admin | > +----------+----------------------------------+ > > keystone user-role-list --user admin --tenant admin > WARNING: Bypassing authentication using a token & endpoint > (authentication credentials are being ignored). > > +----------------------------------+----------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > > +----------------------------------+----------+----------------------------------+----------------------------------+ > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | > 99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 | > | eb2badd0ce364882bf0ecedcaf51ec9f | admin | > 99b501f662704849852514a853ab55ca | 5927cd6622ed4a7ab11516927f4181e5 | > > +----------------------------------+----------+----------------------------------+----------------------------------+ > > However, when I remove the OS_SERVICE_TOKEN from my ENV variables and > re-login, just using the following: > > export OS_USERNAME=admin > export OS_PASSWORD=xxxxxx > export OS_TENANT_NAME=admin > export OS_AUTH_URL=http://myserver.local:35357/v2.0 > > I seem to authenticate OK, but I can't seem to do "admin" like things. > When I was experimenting with Icehouse RC1 this worked just fine, but > now it doesn't work. Like, I try this: > > # keystone user-list > The resource could not be found. (HTTP 404) > > keystone tenant-list > +----------------------------------+-------+---------+ > | id | name | enabled | > +----------------------------------+-------+---------+ > | 5927cd6622ed4a7ab11516927f4181e5 | admin | True | > +----------------------------------+-------+---------+ > > > Even though there are more tenants than just that one tenant, as shown > above. It almost seems the like "admin" user here is "just another > user", one without admin rights. > > I looked in the keystone logs when trying the last "keystone user-list" > command and saw this: > > 2014-04-28 12:53:56.891 17613 DEBUG keystone.middleware.core [-] Auth > token not in the request header. Will not build auth context. > process_request > /usr/lib/python2.6/site-packages/keystone/middleware/core.py:271 > 2014-04-28 12:53:56.893 17613 DEBUG keystone.common.wsgi [-] arg_dict: > {} __call__ /usr/lib/python2.6/site-packages/keystone/common/wsgi.py:181 > 2014-04-28 12:53:56.899 17613 DEBUG keystone.notifications [-] CADF > Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', > 'initiator': {'typeURI': 'service/security/account/user', 'host': > {'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id': > 'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name': > u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI': > 'service/security/account/user', 'id': > 'openstack:c3e6a002-f10f-4323-9da4-0c5c91f278f3'}, 'observer': > {'typeURI': 'service/security', 'id': > 'openstack:3cbbc605-427e-433e-b329-d9e6d4b5c16e'}, 'eventType': > 'activity', 'eventTime': '2014-04-28T19:53:56.898906+0000', 'action': > 'authenticate', 'outcome': 'pending', 'id': > 'openstack:8f9605fe-9498-4d37-9024-d13767af8382'} > _send_audit_notification > /usr/lib/python2.6/site-packages/keystone/notifications.py:289 > 2014-04-28 12:53:56.948 17613 DEBUG keystone.notifications [-] CADF > Event: {'typeURI': 'http://schemas.dmtf.org/cloud/audit/1.0/event', > 'initiator': {'typeURI': 'service/security/account/user', 'host': > {'agent': 'python-keystoneclient', 'address': '10.1.1.147'}, 'id': > 'openstack:46f88e47-8dc5-4761-adb3-d5ac1c104ed2', 'name': > u'99b501f662704849852514a853ab55ca'}, 'target': {'typeURI': > 'service/security/account/user', 'id': > 'openstack:6955d3f0-41da-49c0-9f1b-025d60195a5f'}, 'observer': > {'typeURI': 'service/security', 'id': > 'openstack:07ce1f0d-cd8d-495e-9e93-5a60dd0abb33'}, 'eventType': > 'activity', 'eventTime': '2014-04-28T19:53:56.947942+0000', 'action': > 'authenticate', 'outcome': 'success', 'id': > 'openstack:b8335d16-2f9a-42bf-bfb8-071c07d4206d'} > _send_audit_notification > /usr/lib/python2.6/site-packages/keystone/notifications.py:289 > 2014-04-28 12:53:57.002 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 - > - [28/Apr/2014 12:53:57] "POST /v2.0/tokens HTTP/1.1" 200 6397 0.111563 > 2014-04-28 12:53:57.020 17613 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {'project_id': u'5927cd6622ed4a7ab11516927f4181e5', > 'user_id': u'99b501f662704849852514a853ab55ca', 'roles': [u'_member_', > u'admin']} process_request > /usr/lib/python2.6/site-packages/keystone/middleware/core.py:281 > 2014-04-28 12:53:57.023 17613 INFO eventlet.wsgi.server [-] 10.1.1.147 - > - [28/Apr/2014 12:53:57] "GET /v2.0/users HTTP/1.1" 404 228 0.008255 > > It explicitly states 'roles': [u'_member_', u'admin'] so I figure it > dhould work? Anyone seen anything like this before? Maybe I made a > typo somewhere? > > My keystone policy.json file is un-tampered with and contains the > default settings: > > { > "admin_required": "role:admin or is_admin:1", > "service_role": "role:service", > "service_or_admin": "rule:admin_required or rule:service_role", > "owner" : "user_id:%(user_id)s", > "admin_or_owner": "rule:admin_required or rule:owner", > > "default": "rule:admin_required", > > "identity:get_region": "", > "identity:list_regions": "", > "identity:create_region": "rule:admin_required", > "identity:update_region": "rule:admin_required", > "identity:delete_region": "rule:admin_required", > > "identity:get_service": "rule:admin_required", > "identity:list_services": "rule:admin_required", > "identity:create_service": "rule:admin_required", > "identity:update_service": "rule:admin_required", > "identity:delete_service": "rule:admin_required", > > "identity:get_endpoint": "rule:admin_required", > "identity:list_endpoints": "rule:admin_required", > "identity:create_endpoint": "rule:admin_required", > "identity:update_endpoint": "rule:admin_required", > "identity:delete_endpoint": "rule:admin_required", > > "identity:get_domain": "rule:admin_required", > "identity:list_domains": "rule:admin_required", > "identity:create_domain": "rule:admin_required", > "identity:update_domain": "rule:admin_required", > "identity:delete_domain": "rule:admin_required", > > "identity:get_project": "rule:admin_required", > "identity:list_projects": "rule:admin_required", > "identity:list_user_projects": "rule:admin_or_owner", > "identity:create_project": "rule:admin_required", > "identity:update_project": "rule:admin_required", > "identity:delete_project": "rule:admin_required", > > "identity:get_user": "rule:admin_required", > "identity:list_users": "rule:admin_required", > "identity:create_user": "rule:admin_required", > "identity:update_user": "rule:admin_required", > "identity:delete_user": "rule:admin_required", > "identity:change_password": "rule:admin_or_owner", > > "identity:get_group": "rule:admin_required", > "identity:list_groups": "rule:admin_required", > "identity:list_groups_for_user": "rule:admin_or_owner", > "identity:create_group": "rule:admin_required", > "identity:update_group": "rule:admin_required", > "identity:delete_group": "rule:admin_required", > "identity:list_users_in_group": "rule:admin_required", > "identity:remove_user_from_group": "rule:admin_required", > "identity:check_user_in_group": "rule:admin_required", > "identity:add_user_to_group": "rule:admin_required", > > "identity:get_credential": "rule:admin_required", > "identity:list_credentials": "rule:admin_required", > "identity:create_credential": "rule:admin_required", > "identity:update_credential": "rule:admin_required", > "identity:delete_credential": "rule:admin_required", > > "identity:ec2_get_credential": "rule:admin_or_owner", > "identity:ec2_list_credentials": "rule:admin_or_owner", > "identity:ec2_create_credential": "rule:admin_or_owner", > "identity:ec2_delete_credential": "rule:admin_required or > (rule:owner and user_id:%(target.credential.user_id)s)", > > "identity:get_role": "rule:admin_required", > "identity:list_roles": "rule:admin_required", > "identity:create_role": "rule:admin_required", > "identity:update_role": "rule:admin_required", > "identity:delete_role": "rule:admin_required", > > "identity:check_grant": "rule:admin_required", > "identity:list_grants": "rule:admin_required", > "identity:create_grant": "rule:admin_required", > "identity:revoke_grant": "rule:admin_required", > > "identity:list_role_assignments": "rule:admin_required", > > "identity:get_policy": "rule:admin_required", > "identity:list_policies": "rule:admin_required", > "identity:create_policy": "rule:admin_required", > "identity:update_policy": "rule:admin_required", > "identity:delete_policy": "rule:admin_required", > > "identity:check_token": "rule:admin_required", > "identity:validate_token": "rule:service_or_admin", > "identity:validate_token_head": "rule:service_or_admin", > "identity:revocation_list": "rule:service_or_admin", > "identity:revoke_token": "rule:admin_or_owner", > > "identity:create_trust": "user_id:%(trust.trustor_user_id)s", > "identity:get_trust": "rule:admin_or_owner", > "identity:list_trusts": "", > "identity:list_roles_for_trust": "", > "identity:check_role_for_trust": "", > "identity:get_role_for_trust": "", > "identity:delete_trust": "", > > "identity:create_consumer": "rule:admin_required", > "identity:get_consumer": "rule:admin_required", > "identity:list_consumers": "rule:admin_required", > "identity:delete_consumer": "rule:admin_required", > "identity:update_consumer": "rule:admin_required", > > "identity:authorize_request_token": "rule:admin_required", > "identity:list_access_token_roles": "rule:admin_required", > "identity:get_access_token_role": "rule:admin_required", > "identity:list_access_tokens": "rule:admin_required", > "identity:get_access_token": "rule:admin_required", > "identity:delete_access_token": "rule:admin_required", > > "identity:list_projects_for_endpoint": "rule:admin_required", > "identity:add_endpoint_to_project": "rule:admin_required", > "identity:check_endpoint_in_project": "rule:admin_required", > "identity:list_endpoints_for_project": "rule:admin_required", > "identity:remove_endpoint_from_project": "rule:admin_required", > > "identity:create_identity_provider": "rule:admin_required", > "identity:list_identity_providers": "rule:admin_required", > "identity:get_identity_providers": "rule:admin_required", > "identity:update_identity_provider": "rule:admin_required", > "identity:delete_identity_provider": "rule:admin_required", > > "identity:create_protocol": "rule:admin_required", > "identity:update_protocol": "rule:admin_required", > "identity:get_protocol": "rule:admin_required", > "identity:list_protocols": "rule:admin_required", > "identity:delete_protocol": "rule:admin_required", > > "identity:create_mapping": "rule:admin_required", > "identity:get_mapping": "rule:admin_required", > "identity:list_mappings": "rule:admin_required", > "identity:delete_mapping": "rule:admin_required", > "identity:update_mapping": "rule:admin_required", > > "identity:list_projects_for_groups": "", > "identity:list_domains_for_groups": "", > > "identity:list_revoke_events": "" > } > > Can anyone see my mistake? Maybe I encountered a bug?? > > Thanks for any idea!!! > > cheers, > -erich > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
