Bug 892327 - Unable to authenticate to any projects if user has not been assigned to a role
Summary: Unable to authenticate to any projects if user has not been assigned to a role
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 2.0 (Folsom)
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: snapshot1
: 3.0
Assignee: Adam Young
QA Contact: Pavel Sedlák
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-06 17:35 UTC by Perry Myers
Modified: 2016-04-26 18:25 UTC (History)
8 users (show)

Fixed In Version: openstack-keystone-2013.1.1-1.el6ost
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-05-29 15:03:30 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0878 0 normal SHIPPED_LIVE Red Hat OpenStack 3.0 ("Grizzly") Preview bug fix and enhancement update 2013-05-29 19:01:24 UTC

Description Perry Myers 2013-01-06 17:35:27 UTC 
Description of problem:
Not sure if this is an issue in Horizon auth or somewhere else, so assigning to distribution component for now for further analysis

If you create a new user in keystone as follows:
keystone tenant-create --name test --description test
(test's id is c3c3ae2f33144345a3e0140240c8b943)
keystone user-create --name user --tenant-id c3c3ae2f33144345a3e0140240c8b943 --pass password

Note that I did not assign a role to the user when I created it, but since assigning a role in keystone doesn't appear to be mandatory there is no error message given here

But later if you try to log into Horizon using that user, it will not let you and will display the error message: "Unable to authenticate to any available projects."

Which doesn't really point you clearly at the fact that you're missing a valid role on the project.

So why not either: make assignment of a role mandatory when creating a user in a tenant?  Or at least make the error message easier for the user to understand that the reason they can't log in is that the user does not have a valid role on the project.
Comment 1 Dmitri Pal 2013-01-06 17:46:42 UTC 
Alternative might be to create a default role and project so that when the user is created without affiliation with project and role keystone would assign them to the user internally. Another alternative is to derive project and role from the identity of the user who runs the command so that if and admin of project A creates a user this user is immediately confined to project A and would be created as another admin. Anyways there are different ways to skin the cat and the best solution depends on which is the 80/20 use case. I do not know keystone well enough to advise.
Comment 2 Alan Pevec 2013-01-10 19:10:46 UTC 
Moving to keystone and assigning to Adam to explain keystone concepts.
Comment 4 Adam Young 2013-05-14 16:21:39 UTC 
There is no "user is a member of a project" direct relationship in the Grizzly release.  Instead, the user/project relationship[ is defined solely through roles.  To aid in migration, we created a role for membership.

https://github.com/openstack/keystone/blob/stable/grizzly/keystone/common/sql/migrate_repo/versions/017_membership_role.py#L37
Comment 7 Pavel Sedlák 2013-05-22 12:15:18 UTC 
Verified with 
* openstack-dashboard-2013.1.1-1.el6ost
* openstack-keystone-2013.1.1-1.el6ost
* python-keystoneclient-1:0.2.3-1.el6ost

Followed steps from description.

1) Create tenant/project
> # keystone tenant-create --name test --description test
> +-------------+----------------------------------+
> |   Property  |              Value               |   
> +-------------+----------------------------------+
> | description |               test               |   
> |   enabled   |               True               |   
> |      id     | 2d2377327d5d4d70ad36bde6d055ee83 |
> |     name    |               test               |   
> +-------------+----------------------------------+

2) Create user and 'put' him into tenant created in previous step
> # keystone user-create --name user --tenant-id 2d2377327d5d4d70ad36bde6d055ee83 --pass password
> +----------+----------------------------------+
> | Property |              Value               |   
> +----------+----------------------------------+
> |  email   |                                  |   
> | enabled  |               True               |   
> |    id    | ccdfedbb1ed04e628e5336a517817755 |
> |   name   |               user               |   
> | tenantId | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------+----------------------------------+

3) Additionally check that he has the new 'user-tenant-relationship' role
> # keystone user-role-list --user-id ccdfedbb1ed04e628e5336a517817755 --tenant-id 2d2377327d5d4d70ad36bde6d055ee83
> +----------------------------------+----------+----------------------------------+----------------------------------+
> |                id                |   name   |             user_id              |            tenant_id             |   
> +----------------------------------+----------+----------------------------------+----------------------------------+
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ccdfedbb1ed04e628e5336a517817755 | 2d2377327d5d4d70ad36bde6d055ee83 |
> +----------------------------------+----------+----------------------------------+----------------------------------+

4) Login to horizon/dashboard with 'user':'password' works and 'test' project overview is displayed.
Comment 9 errata-xmlrpc 2013-05-29 15:03:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0878.html
Note You need to log in before you can comment on or make changes to this bug.