OpenStack Identity (keystone)

Keystone – error message is not correct/clear in case when no “rule” is associated to user

Bug #1803882 reported by Arkady Shtempler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

Keystone – error message is not correct/clear in case when no “rule” is associated to user

Scenario:
1) Source as admin user
. overcloudrc
2) Create a new project
openstack project create --description 'my new project' new-project --domain default
3) Create user for previously created project
openstack user create --project new-project --password PASSWORD new-user
4) Copy overcloudrc content to userrc file and change
cp overcloudrc userrc
5) Change relevant for new-user values:
export OS_USERNAME=new-user
export OS_PASSWORD=PASSWORD
export OS_PROJECT_NAME= new-project
6) Save modified file and source now with this gile
source userrc
7) Execute some openstack command for example:
openstack network list

Actual Result:
On CLI output the error which is shown to user is:
The request you have made requires authentication. (HTTP 401) (Request-ID: req-373d8b48-15b7-4036-83d1-c82453584f15)

In keystone log:
/var/log/containers/keystone/keystone.log (5739, 5739)
2018-11-18 15:09:15.902 35 WARNING keystone.common.wsgi [req-373d8b48-15b7-4036-83d1-c82453584f15 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.27: Unauthorized: The request you have made requires authentication.

Expected Result:
The real reason no rule is asociated to ‘new-user’ (or something like that) should be logged and prompted to user.
Actual message we have is not relevant and not clear.

Keystone logs attached.

Revision history for this message
Arkady Shtempler (ashtempl) wrote :
Revision history for this message
Brian Haley (brian-haley) wrote :

This looks like a Keystone issue and not neutron, even though the example command was against the neutron API.

affects: neutron → keystone
Revision history for this message
Colleen Murphy (krinkle) wrote :

Using the --project flag with the openstack client sets the default_project_id attribute of a user which was only used for the keystone v2 API. With the v3 API (the only supported version) it's now necessary to explicitly create the role assignment with

$ openstack role add --user new-user --project new-project member

Changed in keystone:
status: New → Invalid
Revision history for this message
Arkady Shtempler (ashtempl) wrote :

@Colleen Murphy
You could see from attached keystone.log file that API version is V3.
For example:
2018-11-18 15:09:15.388 35 INFO keystone.common.wsgi [req-373d8b48-15b7-4036-83d1-c82453584f15 - - - - -] POST http://10.9.92.25:5000/v3/auth/tokens
2018-11-18 15:09:15.902 35 WARNING keystone.common.wsgi [req-373d8b48-15b7-4036-83d1-c82453584f15 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.27: Unauthorized: The request you have made requires authentication.

May I ask you, how did you get into conclusion that actual API version on reported setup is V2?

Revision history for this message
Colleen Murphy (krinkle) wrote :

I'm not saying that you are using the V2 API, just that the default_project_id property is a vestige from V2 and has no meaning now in V3. Precisely because you are using V3 is why you need to create the explicit role assignment.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.