Ask Your Question
0

Couldn't get network list while using keystone v3 API for authentication

asked 2017-06-05 06:41:10 -0500

kuro gravatar image

updated 2017-06-12 00:48:30 -0500

I have a Mirantis 9 cloud setup (OpenStack Mitaka). I am trying to write a python program which uses python clients to fetch network list. I have followed OpenStack documentation in the following link -

https://docs.openstack.org/developer/python-keystoneclient/using-api-v3.html (https://docs.openstack.org/developer/...)

So my code look like this -

auth = v3.Password(auth_url=url, user_id="user", password="abcdef", project_id="tenant1")

sess = session.Session(auth=auth)

keystone = client.Client(session=sess)

neutron = neutronclient.Client(session=sess)

print(neutron)

print(neutron.list_networks())

But after printing neutron object successfully, it failed with error message -

keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: ....)

But the documentation does not mention other ways or other parameters needed in Password(). So, what am I missing?

I have seen it works if I pass project_domain_name and user_domain_name in Password(). What confuses me more is why this two params? Including single domain_name doesn't work. But by definition users and the project must belong to one domain. Can user (say U) belongs to project (say P) reside in different domains (say P in domain D1, U in domain D2)?

Thanks for your help.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-06-12 09:03:08 -0500

updated 2017-06-12 09:22:25 -0500

For keystone v3 you have to set project and user domain_name or domain_id. You can use the domain_id "default".

Or you use v2.

For v3 the default domain is set for everything, that does not have another domain defined. And the cloud admin (superuser) is resident in the default domain too.

My example with keystonev3 ( slightly different approach for the keytoneclient, but almost the same thing )
from keystoneclient.v3 import client
project = "admin"
domain = "default"
user = "admin"
password = 'xxxxxxxxxxxxxxx''
auth_url = 'http://aa.bb.cc.dd:35357/v3'
auth = client.Client(auth_url=auth_url,username=user, password=password,
                        project_name=project, user_domain_id="default",project_domain_id="default")
sess = session.Session(auth=auth)
edit flag offensive delete link more

Comments

Frank, thanks for the answer. Can you tell me why two domain name(or id). What I have seen is we can't create project and user in two non-default different domain provided user is associated with that project.

kuro gravatar imagekuro ( 2017-06-12 11:27:42 -0500 )edit

But this doesn't hold true if for example project belongs to "test" domain while user belongs to "default" domain. Why is this difference in behavior? Also, is the domain name not case sensitive? Because Default also works.

kuro gravatar imagekuro ( 2017-06-12 11:28:58 -0500 )edit

Hi It's default for the domain_id and Default for the domain_name. And it's, like it says, the default domain, if you don't want to use the feature at all. E.g. you can configure your horizon to not ask but imply that all projects are located inside the default domain.

Frank_SU_HH gravatar imageFrank_SU_HH ( 2017-06-13 06:43:29 -0500 )edit

I think, 1 user can only be located inside 1 domain UNIQUE KEY ixu_user_id_domain_id (id,domain_id), -> KEY domain_id (domain_id), Only the admin of the default domain can be superuser of all domains ( as stated inside policy.json for domains ). You can handle diff. but own risk!

Frank_SU_HH gravatar imageFrank_SU_HH ( 2017-06-13 06:48:51 -0500 )edit

Thanks Frank for clearing that up

kuro gravatar imagekuro ( 2017-06-13 08:29:35 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-06-05 06:41:10 -0500

Seen: 314 times

Last updated: Jun 12 '17