Description of problem: WORKING, but only with DEFAULT domain user(s): openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url http://10.224.9.10:5000/v2.0/ec2tokens We receive the following logged error when using a domain user: 2017-02-06 08:46:06.839 151201 WARNING keystone.common.wsgi [req-fb1c3e3e-5c35-4534-ab2f-70c39a7e5291 - - - - -] Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 10.224.9.14 NOT WORKING: openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url http://10.224.9.10:5000/v3/ec2tokens openstack-config --set /etc/nova/nova.conf DEFAULT keystone_ec2_url https://aquarius.ssc.lmco.com:13000/v3/ec2tokens' NO DIFFERENCE, possibly deprecated anyway: openstack-config --set /etc/keystone/keystone.conf keystone_ec2_token url http://10.224.9.10:5000/v3/ec2tokens EC2 Endpoints (haproxy configured for appropriate public endpoints): | a009949a13b54621bf51015b19298dea | regionOne | ec2 | ec2 | True | public | https://aquarius.ssc.lmco.com:13773/services/Cloud | | b8cb6c761d3946afaaa0a55df3e16443 | regionOne | ec2 | ec2 | True | admin | https://10.224.9.10:8773/services/Admin | | e129674b46e34ab0988bbd3e786216fb | regionOne | ec2 | ec2 | True | internal | http://10.224.9.10:8773/services/Cloud Version-Release number of selected component (if applicable): openstack-keystone-8.0.1-1.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: errors above Expected results: success Additional info: The following works fine as admin (default domain) or tenant (non-default domain) -- I suppose this is expected since this uses keystone v2 API: openstack ec2 credentials create If I generate the credentials with a tenant (non-default domain account), they DO NOT work. If I generate these credentials with the admin (default domain) account, they work fine. The following does NOT work as a user, domain admin, or default admin, since it's using the v3 API, but since this command is actually available, I'd assume this SHOULD be possible: openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}' **Error as domain admin:** openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}' The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-55f4f6c2-b4b6-4ab3-b2f0-12a72e83a898) **Error as default admin:** openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}' Could not find resource e307033 **Error as user:** openstack credential create --type ec2 --project 55ddfc1c92104b64ac6b59585f0cc648 e307033 '{"access": "test001", "secret": "test002"}' You are not authorized to perform the requested action: identity:list_users (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-cebcfd15-c021-4ec0-a5b9-fac8d1fcd82e)
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.
Still no luck. I followed steps as LDAP admin since you mentioned project admin was having problems... Here's the RC file I created to match what was provided: export OS_USERNAME=ssccldresa export OS_PROJECT_NAME= export OS_AUTH_URL=https://aquarius.ssc.lmco.com:13000/v3 export OS_PASSWORD=******** export OS_IDENTITY_API_VERSION=3 export OS_DOMAIN_NAME=AD export OS_USER_DOMAIN_NAME=AD export OS_PROJECT_DOMAIN_NAME=AD export PS1='[ocd05rc_AD_Admin - \u@\h \W]$ ' export OS_REGION_NAME=regionOne export OS_AUTH_TYPE= Here's similar requests, and the failed outcome (with v3 and v2.0 URI's defined in nova.conf). I attempted to scope the creds to a USER and to a PROJECT, but neither worked as you demonstrated. It did, however, work using domain NAMES rather than IDs: [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack domain list +----------------------------------+------------+---------+----------------------------------------------------------------------+ | ID | Name | Enabled | Description | +----------------------------------+------------+---------+----------------------------------------------------------------------+ | 1bcb88d84628456a9b1fd31c268f1089 | heat_stack | True | | | c66d9f14c53c41128bfce37d1f2711e1 | AD | True | | | default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | +----------------------------------+------------+---------+----------------------------------------------------------------------+ [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack user list --domain c66d9f14c53c41128bfce37d1f2711e1 | grep 'e307033' | 1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0 | e307033 | [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack project list | grep ocd05-AD-Test | 55ddfc1c92104b64ac6b59585f0cc648 | ocd05-AD-Test | [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain c66d9f14c5ce37d1f2711e1 --user-domain c66d9f14c53c41128bfce37d1f2711e1 --user 1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0 No user with a name or ID of '1b52728e1719a87d84b4d3f84ec77e20204c347d371dcc5a2f2298bd009fd4e0' exists. [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain c66d9f14c5ce37d1f2711e1 No domain with a name or ID of 'c66d9f14c5ce37d1f2711e1' exists. [ocd05rc_AD_Admin - stack@ospd05 ~]$ [ocd05rc_AD_Admin - stack@ospd05 ~]$ openstack ec2 credentials create --project ocd05-AD-Test --project-domain AD +------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | access | a050fc339a514bd8ab6c77928c740ad2 | | links | {u'self': u'https://aquarius.ssc.lmco.com:13000/v3/users/302475c5533cc99006a13dbf14880a1e367eeeb9ac3724133f8acc32c04b0126/credentials/OS-EC2/a050fc339a514bd8ab6c77928c740ad2'} | | project_id | 55ddfc1c92104b64ac6b59585f0cc648 | | secret | ee96097e63e34d20b7bce710904d529c | | trust_id | None | | user_id | 302475c5533cc99006a13dbf14880a1e367eeeb9ac3724133f8acc32c04b0126 | +------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ [ocd05rc_v3 - cloud-user@autoglance-ans-fpo7q7yucqnq ~]$ aws --endpoint-url https://aquarius.ssc.lmco.com:13773/services/Cloud/ ec2 describe-instances An error occurred (AuthFailure) when calling the DescribeInstances operation: Failure parsing response from keystone: 'access' [ocd05rc_v3 - cloud-user@autoglance-ans-fpo7q7yucqnq ~]$ aws --endpoint-url https://aquarius.ssc.lmco.com:13773/services/Cloud/ ec2 describe-instances An error occurred (AuthFailure) when calling the DescribeInstances operation: Unauthorized ###uploading associated keystone logs