Bug 1021670 - Admin user can't use another tenant without adding a user-role for himself
Admin user can't use another tenant without adding a user-role for himself
Status: CLOSED NOTABUG
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
4.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 4.0
Assigned To: Adam Young
Jeremy Agee
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-21 14:47 EDT by Martina Kollarova
Modified: 2016-04-26 10:18 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-18 11:15:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martina Kollarova 2013-10-21 14:47:35 EDT
Description of problem:
If I use a different (existing) tenant for the admin user, I get an error message that it requires authentication. Adding a role for admin and that tenant fixes it.

Version-Release number of selected component (if applicable):
Reproduced on RHOS4, puddle 2013-10-15.1

python-keystone-2013.2-0.14.rc1.el6ost.noarch
openstack-keystone-2013.2-0.14.rc1.el6ost.noarch
python-keystoneclient-0.3.2-6.el6ost.noarch
openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch

How reproducible:
always

Steps to Reproduce:
(assuming that there is a user named 'demo' with a tenant named 'demo')
$ source keystonerc_admin # (or set the OS_* env variables)
$ export OS_TENANT_NAME=demo
$ keystone user-list
The request you have made requires authentication. (HTTP 401)

$ export OS_TENANT_NAME=admin
$ keystone user-role-add --user admin --role admin --tenant demo
$ export OS_TENANT_NAME=demo
$ keystone user-list
...
<results>
...


Expected results:
Admin user should be able to use all the tenants.


Additional info:

# keystone tenant-get demo
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | cf0a8676066f484bb43c75240082c818 |
|     name    |               demo               |
+-------------+----------------------------------+
# keystone user-get demo
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |         demo@example.com         |
| enabled  |               True               |
|    id    | fa807967c5d64392a3823ea850793e19 |
|   name   |               demo               |
| tenantId | cf0a8676066f484bb43c75240082c818 |
+----------+----------------------------------+
# keystone user-role-list # before the addition of role for admin
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
| eb1d2e55079e41cd8dbe2aaa1a5f3605 |  admin   | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed |
+----------------------------------+----------+----------------------------------+----------------------------------+
Comment 2 Adam Young 2013-11-18 11:15:58 EST
This is a mistake:   you should not be doing :

export OS_TENANT_NAME=demo

The value specified this way tells Keystone what tenant to look for roles in.  It does not scope in the actual queries themselves.  Do not set the OS_TENANT_NAME to anything other than the admin project and you should be OK.

Note You need to log in before you can comment on or make changes to this bug.