Bug 905541
| Summary: | Keystone user-role-list displays no output, but role <-> user relationship exists? | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Stephen Gordon <sgordon> |
| Component: | python-keystoneclient | Assignee: | Jamie Lennox <jlennox> |
| Status: | CLOSED WONTFIX | QA Contact: | Ami Jeain <ajeain> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 2.1 | CC: | ayoung, dpal, jlennox, jliberma, nkinder, sclewis, yeylon |
| Target Milestone: | --- | ||
| Target Release: | 5.0 (RHEL 7) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-27 20:52:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stephen Gordon
2013-01-29 15:56:44 UTC
Adding to this:
No output for user-role-list for non-admin. The admin role is reporting, the new role is not. The relationship exists in the database as shown below.
[root@rhos0 ~(keystone_admin)]$ keystone user-role-add --user-id e9e8c70f188d43378d824f09bfae7c39 --role-id 1a9ea350fba14ca8b696bf383e6cc48e --tenant-id 8e117168d3e043b4aa03fef189a28592
[root@rhos0 ~(keystone_admin)]$ keystone user-role-list --user-id e9e8c70f188d43378d824f09bfae7c39
[root@rhos0 ~(keystone_admin)]$ keystone user-role-list --tenant-id 8e117168d3e043b4aa03fef189a28592
[root@rhos0 ~(keystone_admin)]$ keystone user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 5a01d44469f6405a96b3bb237269996f | admin | ea56ef0dac0148009fa534e64d9f2f12 | b827f29c4e884c10bdcc89db4e919751 |
+----------------------------------+-------+----------------------------------+----------------------------------+
mysql> select id from user where name='refarch_user';
+----------------------------------+
| id |
+----------------------------------+
| e9e8c70f188d43378d824f09bfae7c39 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select * from metadata where user_id='e9e8c70f188d43378d824f09bfae7c39';
+----------------------------------+----------------------------------+-------------------------------------------------+
| user_id | tenant_id | data |
+----------------------------------+----------------------------------+-------------------------------------------------+
| e9e8c70f188d43378d824f09bfae7c39 | 8e117168d3e043b4aa03fef189a28592 | {"roles": ["1a9ea350fba14ca8b696bf383e6cc48e"]} |
+----------------------------------+----------------------------------+-------------------------------------------------+
1 row in set (0.00 sec)
mysql> select * from role where id='1a9ea350fba14ca8b696bf383e6cc48e';
+----------------------------------+-------------------+
| id | name |
+----------------------------------+-------------------+
| 1a9ea350fba14ca8b696bf383e6cc48e | refarch_user_role |
+----------------------------------+-------------------+
1 row in set (0.00 sec)
mysql> quit
Bye
[root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin
[root@localhost ~(keystone_admin)]# echo $?
0
[root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin
Unable to communicate with identity service: {"error": {"message": "Conflict occurred attempting to store role grant. User 380b92f1e0c54831896a844adf4c11b7 already has role 489083e939f24d0cb8ea95a785565234 in tenant 7085972c809d4fd597617b65051cc3b4", "code": 409, "title": "Conflict"}}. (HTTP 409)
[root@localhost ~(keystone_admin)]# echo $?
1
[root@localhost ~(keystone_admin)]# keystone user-role-list --user-id=lon --tenant-id=lon
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 489083e939f24d0cb8ea95a785565234 | admin | 380b92f1e0c54831896a844adf4c11b7 | 7085972c809d4fd597617b65051cc3b4 |
+----------------------------------+-------+----------------------------------+----------------------------------+
Now if you try to add a user role without a tenant ID:
[root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --user-id=lon
Unable to communicate with identity service: {"error": {"message": "User roles not supported: tenant_id required", "code": 501, "title": "Not Implemented"}}. (HTTP 501)
[root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --tenant-id=lon
usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>]
keystone user-role-add: error: argument --user/--user-id/--user_id is required
The reason it works for admin when you don't specify everything is because keystone looks at your environment variables.
Confusing behavior, for sure.
We are recommending everyone switch to openstack client for working with keystone. We are already rejecting enhancements to the CLI upstram. |