Bug 892327

Summary: Unable to authenticate to any projects if user has not been assigned to a role
Product: Red Hat OpenStack Reporter: Perry Myers <pmyers>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED ERRATA QA Contact: Pavel Sedlák <psedlak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.0 (Folsom)CC: ajeain, aortega, apevec, ayoung, dpal, jpichon, markmc, mrunge
Target Milestone: snapshot1Keywords: FutureFeature, Triaged
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-keystone-2013.1.1-1.el6ost Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-29 15:03:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Perry Myers 2013-01-06 17:35:27 UTC 
Description of problem:
Not sure if this is an issue in Horizon auth or somewhere else, so assigning to distribution component for now for further analysis

If you create a new user in keystone as follows:
keystone tenant-create --name test --description test
(test's id is c3c3ae2f33144345a3e0140240c8b943)
keystone user-create --name user --tenant-id c3c3ae2f33144345a3e0140240c8b943 --pass password

Note that I did not assign a role to the user when I created it, but since assigning a role in keystone doesn't appear to be mandatory there is no error message given here

But later if you try to log into Horizon using that user, it will not let you and will display the error message: "Unable to authenticate to any available projects."

Which doesn't really point you clearly at the fact that you're missing a valid role on the project.

So why not either: make assignment of a role mandatory when creating a user in a tenant?  Or at least make the error message easier for the user to understand that the reason they can't log in is that the user does not have a valid role on the project.
Comment 1 Dmitri Pal 2013-01-06 17:46:42 UTC 
Alternative might be to create a default role and project so that when the user is created without affiliation with project and role keystone would assign them to the user internally. Another alternative is to derive project and role from the identity of the user who runs the command so that if and admin of project A creates a user this user is immediately confined to project A and would be created as another admin. Anyways there are different ways to skin the cat and the best solution depends on which is the 80/20 use case. I do not know keystone well enough to advise.
Comment 2 Alan Pevec 2013-01-10 19:10:46 UTC 
Moving to keystone and assigning to Adam to explain keystone concepts.
Comment 4 Adam Young 2013-05-14 16:21:39 UTC 
There is no "user is a member of a project" direct relationship in the Grizzly release.  Instead, the user/project relationship[ is defined solely through roles.  To aid in migration, we created a role for membership.

https://github.com/openstack/keystone/blob/stable/grizzly/keystone/common/sql/migrate_repo/versions/017_membership_role.py#L37
Comment 7 Pavel Sedlák 2013-05-22 12:15:18 UTC 
Verified with 
* openstack-dashboard-2013.1.1-1.el6ost
* openstack-keystone-2013.1.1-1.el6ost
* python-keystoneclient-1:0.2.3-1.el6ost

Followed steps from description.

1) Create tenant/project
> # keystone tenant-create --name test --description test
> +-------------+----------------------------------+
> |   Property  |              Value               |   
> +-------------+----------------------------------+
> | description |               test               |   
> |   enabled   |               True               |   
> |      id     | 2d2377327d5d4d70ad36bde6d055ee83 |
> |     name    |               test               |   
> +-------------+----------------------------------+

2) Create user and 'put' him into tenant created in previous step
> # keystone user-create --name user --tenant-id 2d2377327d5d4d70ad36bde6d055ee83 --pass password
> +----------+----------------------------------+
> | Property |              Value               |   
> +----------+----------------------------------+
> |  email   |                                  |   
> | enabled  |               True               |   
> |    id    | ccdfedbb1ed04e628e5336a517817755 |
> |   name   |               user               |   
> | tenantId | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------+----------------------------------+

3) Additionally check that he has the new 'user-tenant-relationship' role
> # keystone user-role-list --user-id ccdfedbb1ed04e628e5336a517817755 --tenant-id 2d2377327d5d4d70ad36bde6d055ee83
> +----------------------------------+----------+----------------------------------+----------------------------------+
> |                id                |   name   |             user_id              |            tenant_id             |   
> +----------------------------------+----------+----------------------------------+----------------------------------+
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ccdfedbb1ed04e628e5336a517817755 | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------------------------------+----------+----------------------------------+----------------------------------+

4) Login to horizon/dashboard with 'user':'password' works and 'test' project overview is displayed.
Comment 9 errata-xmlrpc 2013-05-29 15:03:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0878.html