Created attachment 773712 [details] logs Description of problem: I created a new project as user admin and tried to add user admin as admin and a member of the project and the following happens: 1. if I add two both admin and member authentications, the first try will only modify the member permission. 2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions 3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. Version-Release number of selected component (if applicable): python-django-horizon-2013.1.2-1.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. login as user admin and create a new project 2. try to add user admin as both admin and user for the project 3. Actual results: 1. if I add two both admin and member authentications, the first try will only modify the member permission. 2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions 3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. Expected results: we should succeed with no errors. Additional info: logs ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m Traceback (most recent call last): File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data tenants = api.keystone.tenant_list(self.request, admin=True) File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list return keystoneclient(request, admin=admin).tenants.list() File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list tenant_list = self._list("/tenants%s" % query, "tenants") File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list resp, body = self.api.get(url) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get return self._cs_request(url, 'GET', **kwargs) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request **kwargs) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request raise exceptions.from_response(resp, resp.text) Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401) ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m Traceback (most recent call last): File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data tenants = api.keystone.tenant_list(self.request, admin=True) File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list return keystoneclient(request, admin=admin).tenants.list() File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list tenant_list = self._list("/tenants%s" % query, "tenants") File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list resp, body = self.api.get(url) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get return self._cs_request(url, 'GET', **kwargs) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request **kwargs) File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request raise exceptions.from_response(resp, resp.text) Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
This is due to a Keystone bug, where the tokens were being too eagerly invalidated. This is fixed in Havana. A backport to grizzly is currently in review.
Verified NVR: python-django-horizon-2013.2-3.el6ost.noarch Followed the steps to reproduce in Comment #0 Result: ======= 1. The user now acts as a tenant admin 2. There were no errors while setting both member and admin permissions to the user named 'admin' 3. Can see the projects list with no errors 4. There were no errors in httpd logs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html