Hide Forgot
Description of problem: If I use a different (existing) tenant for the admin user, I get an error message that it requires authentication. Adding a role for admin and that tenant fixes it. Version-Release number of selected component (if applicable): Reproduced on RHOS4, puddle 2013-10-15.1 python-keystone-2013.2-0.14.rc1.el6ost.noarch openstack-keystone-2013.2-0.14.rc1.el6ost.noarch python-keystoneclient-0.3.2-6.el6ost.noarch openstack-packstack-2013.2.1-0.6.dev763.el6ost.noarch How reproducible: always Steps to Reproduce: (assuming that there is a user named 'demo' with a tenant named 'demo') $ source keystonerc_admin # (or set the OS_* env variables) $ export OS_TENANT_NAME=demo $ keystone user-list The request you have made requires authentication. (HTTP 401) $ export OS_TENANT_NAME=admin $ keystone user-role-add --user admin --role admin --tenant demo $ export OS_TENANT_NAME=demo $ keystone user-list ... <results> ... Expected results: Admin user should be able to use all the tenants. Additional info: # keystone tenant-get demo +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | | | enabled | True | | id | cf0a8676066f484bb43c75240082c818 | | name | demo | +-------------+----------------------------------+ # keystone user-get demo +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | demo | | enabled | True | | id | fa807967c5d64392a3823ea850793e19 | | name | demo | | tenantId | cf0a8676066f484bb43c75240082c818 | +----------+----------------------------------+ # keystone user-role-list # before the addition of role for admin +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed | | eb1d2e55079e41cd8dbe2aaa1a5f3605 | admin | abfb4a74b7bf461fbb40887fb58fcf11 | da1761b338984b2d8a662f88b47819ed | +----------------------------------+----------+----------------------------------+----------------------------------+
This is a mistake: you should not be doing : export OS_TENANT_NAME=demo The value specified this way tells Keystone what tenant to look for roles in. It does not scope in the actual queries themselves. Do not set the OS_TENANT_NAME to anything other than the admin project and you should be OK.