Bug 1021670

Summary:	Admin user can't use another tenant without adding a user-role for himself
Product:	Red Hat OpenStack	Reporter:	Martina Kollarova <mkollaro>
Component:	openstack-keystone	Assignee:	Adam Young <ayoung>
Status:	CLOSED NOTABUG	QA Contact:	Jeremy Agee <jagee>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	4.0	CC:	ayoung, hateya, kbanerje, ncredi, yeylon
Target Milestone:	---
Target Release:	4.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-18 16:15:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Martina Kollarova 2013-10-21 18:47:35 UTC

Description of problem:
If I use a different (existing) tenant for the admin user, I get an error message that it requires authentication. Adding a role for admin and that tenant fixes it.

Version-Release number of selected component (if applicable):
Reproduced on RHOS4, puddle 2013-10-15.1

python-keystone-2013.2-0.14.rc1.el6ost.noarch
openstack-keystone-2013.2-0.14.rc1.el6ost.noarch
python-keystoneclient-0.3.2-6.el6ost.noarch
openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch

How reproducible:
always

Steps to Reproduce:
(assuming that there is a user named 'demo' with a tenant named 'demo')
$ source keystonerc_admin # (or set the OS_* env variables)
$ export OS_TENANT_NAME=demo
$ keystone user-list
The request you have made requires authentication. (HTTP 401)

$ export OS_TENANT_NAME=admin
$ keystone user-role-add --user admin --role admin --tenant demo
$ export OS_TENANT_NAME=demo
$ keystone user-list
...
<results>
...


Expected results:
Admin user should be able to use all the tenants.


Additional info:

# keystone tenant-get demo
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | cf0a8676066f484bb43c75240082c818 |
|     name    |               demo               |
+-------------+----------------------------------+
# keystone user-get demo
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |         demo         |
| enabled  |               True               |
|    id    | fa807967c5d64392a3823ea850793e19 |
|   name   |               demo               |
| tenantId | cf0a8676066f484bb43c75240082c818 |
+----------+----------------------------------+
# keystone user-role-list # before the addition of role for admin
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
| eb1d2e55079e41cd8dbe2aaa1a5f3605 |  admin   | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
+----------------------------------+----------+----------------------------------+----------------------------------+

Comment 2 Adam Young 2013-11-18 16:15:58 UTC

This is a mistake:   you should not be doing :

export OS_TENANT_NAME=demo

The value specified this way tells Keystone what tenant to look for roles in.  It does not scope in the actual queries themselves.  Do not set the OS_TENANT_NAME to anything other than the admin project and you should be OK.