Bug 905541 - Keystone user-role-list displays no output, but role <-> user relationship exists?
Keystone user-role-list displays no output, but role <-> user relationship ex...
Status: CLOSED WONTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneclient (Show other bugs)
2.1
Unspecified Unspecified
low Severity low
: ---
: 5.0 (RHEL 7)
Assigned To: Jamie Lennox
Ami Jeain
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-29 10:56 EST by Stephen Gordon
Modified: 2016-04-26 10:14 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-27 16:52:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Gordon 2013-01-29 10:56:44 EST
Description of problem:

I'm working on the Quantum section of the GSG and was playing around with adding the required user, tenant, and role relationships. When I was done I issued user-role-list on the user but received no output. Trying to perform the user-role-add again however indicates the relationship does exist.

Is this expected behaviour?

[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone role-list
+----------------------------------+--------+
|                id                |  name  |
+----------------------------------+--------+
| 6e21529587304dd3837169beb6d0cab5 | admin  |
| ebcaaa525caf4f6b8a599e741b160a10 | Member |
+----------------------------------+--------+
[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 7c3aac23c2e049ba98f80366ffba6950 | services |   True  |
| 895b61e3b1524bf8bb8cc4850bffbe34 |  admin   |   True  |
| c0aa38874506466383335f3ad01bc699 | quantum  |   True  |
+----------------------------------+----------+---------+
[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-list
+----------------------------------+---------+---------+---------------------+
|                id                |   name  | enabled |        email        |
+----------------------------------+---------+---------+---------------------+
| 02425a0a159047c684765479e24361f4 | quantum |   True  | quantum@example.com |
| 09d912ba74f64696a3ff87474071eb24 |  glance |   True  |   glance@localhost  |
| 530a5e2c45a34aa1a23b581775618785 |  admin  |   True  |    test@test.com    |
| 85f03cd684e2426fb697803c37552588 |   nova  |   True  |    nova@localhost   |
| e86a3049add44860ab51f6912e7086ad |  cinder |   True  |   cinder@localhost  |
+----------------------------------+---------+---------+---------------------+
[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-add --user-id 02425a0a159047c684765479e24361f4 --role-id 6e21529587304dd3837169beb6d0cab5 --tenant-id c0aa38874506466383335f3ad01bc699
[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-list --user-id 02425a0a159047c684765479e24361f4
[root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-add --user-id 02425a0a159047c684765479e24361f4 --role-id 6e21529587304dd3837169beb6d0cab5 --tenant-id c0aa38874506466383335f3ad01bc699
Conflict occurred attempting to store role grant. User 02425a0a159047c684765479e24361f4 already has role 6e21529587304dd3837169beb6d0cab5 in tenant c0aa38874506466383335f3ad01bc699 (HTTP 409)
[root@unused-10-15-24-117 ~(keystone_admin)]$

Version-Release number of selected component (if applicable):

openstack-keystone-2012.2.1-1.el6ost.noarch
Comment 1 jliberma@redhat.com 2013-03-27 17:48:28 EDT
Adding to this:

No output for user-role-list for non-admin. The admin role is reporting, the new role is not. The relationship exists in the database as shown below.

[root@rhos0 ~(keystone_admin)]$ keystone user-role-add --user-id e9e8c70f188d43378d824f09bfae7c39 --role-id 1a9ea350fba14ca8b696bf383e6cc48e --tenant-id 8e117168d3e043b4aa03fef189a28592

[root@rhos0 ~(keystone_admin)]$ keystone user-role-list --user-id e9e8c70f188d43378d824f09bfae7c39

[root@rhos0 ~(keystone_admin)]$ keystone user-role-list --tenant-id 8e117168d3e043b4aa03fef189a28592

[root@rhos0 ~(keystone_admin)]$ keystone user-role-list
+----------------------------------+-------+----------------------------------+----------------------------------+
|                id                |  name |             user_id              |            tenant_id             |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 5a01d44469f6405a96b3bb237269996f | admin | ea56ef0dac0148009fa534e64d9f2f12 | b827f29c4e884c10bdcc89db4e919751 |
+----------------------------------+-------+----------------------------------+----------------------------------+

mysql> select id from user where name='refarch_user';
+----------------------------------+
| id                               |
+----------------------------------+
| e9e8c70f188d43378d824f09bfae7c39 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select * from metadata where user_id='e9e8c70f188d43378d824f09bfae7c39';
+----------------------------------+----------------------------------+-------------------------------------------------+
| user_id                          | tenant_id                        | data                                            |
+----------------------------------+----------------------------------+-------------------------------------------------+
| e9e8c70f188d43378d824f09bfae7c39 | 8e117168d3e043b4aa03fef189a28592 | {"roles": ["1a9ea350fba14ca8b696bf383e6cc48e"]} |
+----------------------------------+----------------------------------+-------------------------------------------------+
1 row in set (0.00 sec)

mysql> select * from role where id='1a9ea350fba14ca8b696bf383e6cc48e';
+----------------------------------+-------------------+
| id                               | name              |
+----------------------------------+-------------------+
| 1a9ea350fba14ca8b696bf383e6cc48e | refarch_user_role |
+----------------------------------+-------------------+
1 row in set (0.00 sec)

mysql> quit
Bye
Comment 2 Lon Hohberger 2013-04-18 16:13:02 EDT
[root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin
[root@localhost ~(keystone_admin)]# echo $?
0
[root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin
Unable to communicate with identity service: {"error": {"message": "Conflict occurred attempting to store role grant. User 380b92f1e0c54831896a844adf4c11b7 already has role 489083e939f24d0cb8ea95a785565234 in tenant 7085972c809d4fd597617b65051cc3b4", "code": 409, "title": "Conflict"}}. (HTTP 409)
[root@localhost ~(keystone_admin)]# echo $?
1
[root@localhost ~(keystone_admin)]# keystone user-role-list --user-id=lon --tenant-id=lon 
+----------------------------------+-------+----------------------------------+----------------------------------+
|                id                |  name |             user_id              |            tenant_id             |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 489083e939f24d0cb8ea95a785565234 | admin | 380b92f1e0c54831896a844adf4c11b7 | 7085972c809d4fd597617b65051cc3b4 |
+----------------------------------+-------+----------------------------------+----------------------------------+

Now if you try to add a user role without a tenant ID:

[root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --user-id=lon
Unable to communicate with identity service: {"error": {"message": "User roles not supported: tenant_id required", "code": 501, "title": "Not Implemented"}}. (HTTP 501)
[root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --tenant-id=lon
usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>]
keystone user-role-add: error: argument --user/--user-id/--user_id is required

The reason it works for admin when you don't specify everything is because keystone looks at your environment variables.

Confusing behavior, for sure.
Comment 5 Jamie Lennox 2014-05-27 16:52:06 EDT
We are recommending everyone switch to openstack client for working with keystone. We are already rejecting enhancements to the CLI upstram.

Note You need to log in before you can comment on or make changes to this bug.