Mirantis OpenStack

  1. Bug #1584143
  2. Comment #6

Comment 6 for bug 1584143

Revision history for this message
Max Yatsenko (myatsenko) wrote :

@Alexander Makarov
@Boris Bobrov

after deployment (MOS9.0) when we have enabled "domain_specific_drivers_enabled" param in keystone (for exmaple when ldap_plugin is installed)
we have the following roles:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list
+----------------------------------+-----------------+
| ID | Name |
 +----------------------------------+-----------------+
| 12cfa271d7914014bc237d5d7dbc6d9b | admin |
| 188829730a474a6fad6e347cac139d50 | heat_stack_user |
| 1bced52d54d24d87a3b29de93345d36a | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | ​_member_​ |
 +----------------------------------+-----------------+

we get the same roles when we run "role list" for "Default" domain:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default
+----------------------------------+-----------------+
| ID | Name |
 +----------------------------------+-----------------+
| 12cfa271d7914014bc237d5d7dbc6d9b | admin |
| 188829730a474a6fad6e347cac139d50 | heat_stack_user |
| 1bced52d54d24d87a3b29de93345d36a | SwiftOperator |
| 9fe2ff9ee4384b1894a90878d3e92bab | ​_member_​ |
 +----------------------------------+-----------------+

if we want to get roles for "admin" user - we get empty output:

root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default --user admin

after we add "admin" role for "admin" user:
root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role add --domain Default --user admin admin

this command: root@node-1:~# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.2:5000/v3' openstack role list --domain Default --user admin

can output somethin like this:

+----------------------------------+-------+---------+-------+
| ID | Name | Domain | User |
 +----------------------------------+-------+---------+-------+
| 265a0072848247dfa9e0d10fee1de797 | admin | Default | admin |
 +----------------------------------+-------+---------+-------+

and after that we can see "Domains" in Horizon (after apache reboot)

but in MOS8.0 (we don't have such bug) when I run:
# OS_IDENTITY_API_VERSION=3 OS_AUTH_URL='http://192.168.0.6:5000/v3' openstack role list --domain Default --user admin

I get this message:
"Could not find resource admin"

but my expaction was that I should get a message somethin like that:

+----------------------------------+-------+---------+-------+
| ID | Name | Domain | User |
 +----------------------------------+-------+---------+-------+
| 265a0072848247dfa9e0d10fee1de797 | admin | Default | admin |
 +----------------------------------+-------+---------+-------+

and I have a question: if we don't have a such bug in MOS8.0 - why for "admin" user we don't have any output for the command:
 openstack role list --domain Default --user admin

and how keystone should be configured for MOS9.0?