Description of problem: I'm working on the Quantum section of the GSG and was playing around with adding the required user, tenant, and role relationships. When I was done I issued user-role-list on the user but received no output. Trying to perform the user-role-add again however indicates the relationship does exist. Is this expected behaviour? [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone role-list +----------------------------------+--------+ | id | name | +----------------------------------+--------+ | 6e21529587304dd3837169beb6d0cab5 | admin | | ebcaaa525caf4f6b8a599e741b160a10 | Member | +----------------------------------+--------+ [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 7c3aac23c2e049ba98f80366ffba6950 | services | True | | 895b61e3b1524bf8bb8cc4850bffbe34 | admin | True | | c0aa38874506466383335f3ad01bc699 | quantum | True | +----------------------------------+----------+---------+ [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-list +----------------------------------+---------+---------+---------------------+ | id | name | enabled | email | +----------------------------------+---------+---------+---------------------+ | 02425a0a159047c684765479e24361f4 | quantum | True | quantum | | 09d912ba74f64696a3ff87474071eb24 | glance | True | glance@localhost | | 530a5e2c45a34aa1a23b581775618785 | admin | True | test | | 85f03cd684e2426fb697803c37552588 | nova | True | nova@localhost | | e86a3049add44860ab51f6912e7086ad | cinder | True | cinder@localhost | +----------------------------------+---------+---------+---------------------+ [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-add --user-id 02425a0a159047c684765479e24361f4 --role-id 6e21529587304dd3837169beb6d0cab5 --tenant-id c0aa38874506466383335f3ad01bc699 [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-list --user-id 02425a0a159047c684765479e24361f4 [root@unused-10-15-24-117 ~(keystone_admin)]$ keystone user-role-add --user-id 02425a0a159047c684765479e24361f4 --role-id 6e21529587304dd3837169beb6d0cab5 --tenant-id c0aa38874506466383335f3ad01bc699 Conflict occurred attempting to store role grant. User 02425a0a159047c684765479e24361f4 already has role 6e21529587304dd3837169beb6d0cab5 in tenant c0aa38874506466383335f3ad01bc699 (HTTP 409) [root@unused-10-15-24-117 ~(keystone_admin)]$ Version-Release number of selected component (if applicable): openstack-keystone-2012.2.1-1.el6ost.noarch
Adding to this: No output for user-role-list for non-admin. The admin role is reporting, the new role is not. The relationship exists in the database as shown below. [root@rhos0 ~(keystone_admin)]$ keystone user-role-add --user-id e9e8c70f188d43378d824f09bfae7c39 --role-id 1a9ea350fba14ca8b696bf383e6cc48e --tenant-id 8e117168d3e043b4aa03fef189a28592 [root@rhos0 ~(keystone_admin)]$ keystone user-role-list --user-id e9e8c70f188d43378d824f09bfae7c39 [root@rhos0 ~(keystone_admin)]$ keystone user-role-list --tenant-id 8e117168d3e043b4aa03fef189a28592 [root@rhos0 ~(keystone_admin)]$ keystone user-role-list +----------------------------------+-------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------+----------------------------------+----------------------------------+ | 5a01d44469f6405a96b3bb237269996f | admin | ea56ef0dac0148009fa534e64d9f2f12 | b827f29c4e884c10bdcc89db4e919751 | +----------------------------------+-------+----------------------------------+----------------------------------+ mysql> select id from user where name='refarch_user'; +----------------------------------+ | id | +----------------------------------+ | e9e8c70f188d43378d824f09bfae7c39 | +----------------------------------+ 1 row in set (0.00 sec) mysql> select * from metadata where user_id='e9e8c70f188d43378d824f09bfae7c39'; +----------------------------------+----------------------------------+-------------------------------------------------+ | user_id | tenant_id | data | +----------------------------------+----------------------------------+-------------------------------------------------+ | e9e8c70f188d43378d824f09bfae7c39 | 8e117168d3e043b4aa03fef189a28592 | {"roles": ["1a9ea350fba14ca8b696bf383e6cc48e"]} | +----------------------------------+----------------------------------+-------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from role where id='1a9ea350fba14ca8b696bf383e6cc48e'; +----------------------------------+-------------------+ | id | name | +----------------------------------+-------------------+ | 1a9ea350fba14ca8b696bf383e6cc48e | refarch_user_role | +----------------------------------+-------------------+ 1 row in set (0.00 sec) mysql> quit Bye
[root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin [root@localhost ~(keystone_admin)]# echo $? 0 [root@localhost ~(keystone_admin)]# keystone user-role-add --user-id=lon --tenant-id=lon --role-id=admin Unable to communicate with identity service: {"error": {"message": "Conflict occurred attempting to store role grant. User 380b92f1e0c54831896a844adf4c11b7 already has role 489083e939f24d0cb8ea95a785565234 in tenant 7085972c809d4fd597617b65051cc3b4", "code": 409, "title": "Conflict"}}. (HTTP 409) [root@localhost ~(keystone_admin)]# echo $? 1 [root@localhost ~(keystone_admin)]# keystone user-role-list --user-id=lon --tenant-id=lon +----------------------------------+-------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------+----------------------------------+----------------------------------+ | 489083e939f24d0cb8ea95a785565234 | admin | 380b92f1e0c54831896a844adf4c11b7 | 7085972c809d4fd597617b65051cc3b4 | +----------------------------------+-------+----------------------------------+----------------------------------+ Now if you try to add a user role without a tenant ID: [root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --user-id=lon Unable to communicate with identity service: {"error": {"message": "User roles not supported: tenant_id required", "code": 501, "title": "Not Implemented"}}. (HTTP 501) [root@localhost ~(keystone_admin)]# keystone user-role-add --role-id=admin --tenant-id=lon usage: keystone user-role-add --user <user> --role <role> [--tenant <tenant>] keystone user-role-add: error: argument --user/--user-id/--user_id is required The reason it works for admin when you don't specify everything is because keystone looks at your environment variables. Confusing behavior, for sure.
We are recommending everyone switch to openstack client for working with keystone. We are already rejecting enhancements to the CLI upstram.