Bug 892327 - Unable to authenticate to any projects if user has not been assigned to a role
Unable to authenticate to any projects if user has not been assigned to a role
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
2.0 (Folsom)
Unspecified Unspecified
unspecified Severity unspecified
: snapshot1
: 3.0
Assigned To: Adam Young
Pavel Sedlák
: FutureFeature, Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-01-06 12:35 EST by Perry Myers
Modified: 2016-04-26 14:25 EDT (History)
8 users (show)

See Also:
Fixed In Version: openstack-keystone-2013.1.1-1.el6ost
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-05-29 11:03:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Perry Myers 2013-01-06 12:35:27 EST
Description of problem:
Not sure if this is an issue in Horizon auth or somewhere else, so assigning to distribution component for now for further analysis

If you create a new user in keystone as follows:
keystone tenant-create --name test --description test
(test's id is c3c3ae2f33144345a3e0140240c8b943)
keystone user-create --name user --tenant-id c3c3ae2f33144345a3e0140240c8b943 --pass password

Note that I did not assign a role to the user when I created it, but since assigning a role in keystone doesn't appear to be mandatory there is no error message given here

But later if you try to log into Horizon using that user, it will not let you and will display the error message: "Unable to authenticate to any available projects."

Which doesn't really point you clearly at the fact that you're missing a valid role on the project.

So why not either: make assignment of a role mandatory when creating a user in a tenant?  Or at least make the error message easier for the user to understand that the reason they can't log in is that the user does not have a valid role on the project.
Comment 1 Dmitri Pal 2013-01-06 12:46:42 EST
Alternative might be to create a default role and project so that when the user is created without affiliation with project and role keystone would assign them to the user internally. Another alternative is to derive project and role from the identity of the user who runs the command so that if and admin of project A creates a user this user is immediately confined to project A and would be created as another admin. Anyways there are different ways to skin the cat and the best solution depends on which is the 80/20 use case. I do not know keystone well enough to advise.
Comment 2 Alan Pevec 2013-01-10 14:10:46 EST
Moving to keystone and assigning to Adam to explain keystone concepts.
Comment 4 Adam Young 2013-05-14 12:21:39 EDT
There is no "user is a member of a project" direct relationship in the Grizzly release.  Instead, the user/project relationship[ is defined solely through roles.  To aid in migration, we created a role for membership.

Comment 7 Pavel Sedlák 2013-05-22 08:15:18 EDT
Verified with 
* openstack-dashboard-2013.1.1-1.el6ost
* openstack-keystone-2013.1.1-1.el6ost
* python-keystoneclient-1:0.2.3-1.el6ost

Followed steps from description.

1) Create tenant/project
> # keystone tenant-create --name test --description test
> +-------------+----------------------------------+
> |   Property  |              Value               |   
> +-------------+----------------------------------+
> | description |               test               |   
> |   enabled   |               True               |   
> |      id     | 2d2377327d5d4d70ad36bde6d055ee83 |
> |     name    |               test               |   
> +-------------+----------------------------------+

2) Create user and 'put' him into tenant created in previous step
> # keystone user-create --name user --tenant-id 2d2377327d5d4d70ad36bde6d055ee83 --pass password
> +----------+----------------------------------+
> | Property |              Value               |   
> +----------+----------------------------------+
> |  email   |                                  |   
> | enabled  |               True               |   
> |    id    | ccdfedbb1ed04e628e5336a517817755 |
> |   name   |               user               |   
> | tenantId | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------+----------------------------------+

3) Additionally check that he has the new 'user-tenant-relationship' role
> # keystone user-role-list --user-id ccdfedbb1ed04e628e5336a517817755 --tenant-id 2d2377327d5d4d70ad36bde6d055ee83
> +----------------------------------+----------+----------------------------------+----------------------------------+
> |                id                |   name   |             user_id              |            tenant_id             |   
> +----------------------------------+----------+----------------------------------+----------------------------------+
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ccdfedbb1ed04e628e5336a517817755 | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------------------------------+----------+----------------------------------+----------------------------------+

4) Login to horizon/dashboard with 'user':'password' works and 'test' project overview is displayed.
Comment 9 errata-xmlrpc 2013-05-29 11:03:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.