Bug 892327
Summary: | Unable to authenticate to any projects if user has not been assigned to a role | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Perry Myers <pmyers> |
Component: | openstack-keystone | Assignee: | Adam Young <ayoung> |
Status: | CLOSED ERRATA | QA Contact: | Pavel Sedlák <psedlak> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 2.0 (Folsom) | CC: | ajeain, aortega, apevec, ayoung, dpal, jpichon, markmc, mrunge |
Target Milestone: | snapshot1 | Keywords: | FutureFeature, Triaged |
Target Release: | 3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-keystone-2013.1.1-1.el6ost | Doc Type: | Enhancement |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-29 15:03:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Perry Myers
2013-01-06 17:35:27 UTC
Alternative might be to create a default role and project so that when the user is created without affiliation with project and role keystone would assign them to the user internally. Another alternative is to derive project and role from the identity of the user who runs the command so that if and admin of project A creates a user this user is immediately confined to project A and would be created as another admin. Anyways there are different ways to skin the cat and the best solution depends on which is the 80/20 use case. I do not know keystone well enough to advise. Moving to keystone and assigning to Adam to explain keystone concepts. There is no "user is a member of a project" direct relationship in the Grizzly release. Instead, the user/project relationship[ is defined solely through roles. To aid in migration, we created a role for membership. https://github.com/openstack/keystone/blob/stable/grizzly/keystone/common/sql/migrate_repo/versions/017_membership_role.py#L37 Verified with * openstack-dashboard-2013.1.1-1.el6ost * openstack-keystone-2013.1.1-1.el6ost * python-keystoneclient-1:0.2.3-1.el6ost Followed steps from description. 1) Create tenant/project > # keystone tenant-create --name test --description test > +-------------+----------------------------------+ > | Property | Value | > +-------------+----------------------------------+ > | description | test | > | enabled | True | > | id | 2d2377327d5d4d70ad36bde6d055ee83 | > | name | test | > +-------------+----------------------------------+ 2) Create user and 'put' him into tenant created in previous step > # keystone user-create --name user --tenant-id 2d2377327d5d4d70ad36bde6d055ee83 --pass password > +----------+----------------------------------+ > | Property | Value | > +----------+----------------------------------+ > | email | | > | enabled | True | > | id | ccdfedbb1ed04e628e5336a517817755 | > | name | user | > | tenantId | 2d2377327d5d4d70ad36bde6d055ee83 | > +----------+----------------------------------+ 3) Additionally check that he has the new 'user-tenant-relationship' role > # keystone user-role-list --user-id ccdfedbb1ed04e628e5336a517817755 --tenant-id 2d2377327d5d4d70ad36bde6d055ee83 > +----------------------------------+----------+----------------------------------+----------------------------------+ > | id | name | user_id | tenant_id | > +----------------------------------+----------+----------------------------------+----------------------------------+ > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ccdfedbb1ed04e628e5336a517817755 | 2d2377327d5d4d70ad36bde6d055ee83 | > +----------------------------------+----------+----------------------------------+----------------------------------+ 4) Login to horizon/dashboard with 'user':'password' works and 'test' project overview is displayed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0878.html |