Bug 1021670 - Admin user can't use another tenant without adding a user-role for himself
Summary: Admin user can't use another tenant without adding a user-role for himself
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.0
Assignee: Adam Young
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-21 18:47 UTC by Martina Kollarova
Modified: 2016-04-26 14:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-18 16:15:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Martina Kollarova 2013-10-21 18:47:35 UTC 
Description of problem:
If I use a different (existing) tenant for the admin user, I get an error message that it requires authentication. Adding a role for admin and that tenant fixes it.

Version-Release number of selected component (if applicable):
Reproduced on RHOS4, puddle 2013-10-15.1

python-keystone-2013.2-0.14.rc1.el6ost.noarch
openstack-keystone-2013.2-0.14.rc1.el6ost.noarch
python-keystoneclient-0.3.2-6.el6ost.noarch
openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch

How reproducible:
always

Steps to Reproduce:
(assuming that there is a user named 'demo' with a tenant named 'demo')
$ source keystonerc_admin # (or set the OS_* env variables)
$ export OS_TENANT_NAME=demo
$ keystone user-list
The request you have made requires authentication. (HTTP 401)

$ export OS_TENANT_NAME=admin
$ keystone user-role-add --user admin --role admin --tenant demo
$ export OS_TENANT_NAME=demo
$ keystone user-list
...
<results>
...


Expected results:
Admin user should be able to use all the tenants.


Additional info:

# keystone tenant-get demo
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | cf0a8676066f484bb43c75240082c818 |
|     name    |               demo               |
+-------------+----------------------------------+
# keystone user-get demo
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |         demo         |
| enabled  |               True               |
|    id    | fa807967c5d64392a3823ea850793e19 |
|   name   |               demo               |
| tenantId | cf0a8676066f484bb43c75240082c818 |
+----------+----------------------------------+
# keystone user-role-list # before the addition of role for admin
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
| eb1d2e55079e41cd8dbe2aaa1a5f3605 |  admin   | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
+----------------------------------+----------+----------------------------------+----------------------------------+
Comment 2 Adam Young 2013-11-18 16:15:58 UTC 
This is a mistake:   you should not be doing :

export OS_TENANT_NAME=demo

The value specified this way tells Keystone what tenant to look for roles in.  It does not scope in the actual queries themselves.  Do not set the OS_TENANT_NAME to anything other than the admin project and you should be OK.
Note You need to log in before you can comment on or make changes to this bug.