Ask Your Question
0

Can't create project inside newly created domain

asked 2018-04-16 12:36:09 -0500

Damian Dąbrowski gravatar image

Hello,

I've created second domain named "second" and user "second" which have admin role in new domain.

$ openstack role assignment list --user 2ed4cfaa37be4c48aec75f45d3cf7cdd --project-domain second --names
+-------+---------------+-------+--------------+--------+-----------+
| Role  | User          | Group | Project      | Domain | Inherited |
+-------+---------------+-------+--------------+--------+-----------+
| admin | second@second |       | test1@second |        | False     |
| admin | second@second |       |              | second | False     |
+-------+---------------+-------+--------------+--------+-----------+

I'm using devstack based on Queens release and python-openstackclient(3.15.0)

This is my environment variables:

$ env | grep OS_
OS_PROJECT_DOMAIN_ID=460383fc9c744ab085c5d6a7eb1e998f
OS_REGION_NAME=RegionOne
OS_USER_DOMAIN_ID=460383fc9c744ab085c5d6a7eb1e998f
OS_PROJECT_NAME=test1
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=***
OS_AUTH_TYPE=password
OS_AUTH_URL=http://<my_ip>/identity/v3
OS_USERNAME=second
OS_TENANT_NAME=test1
OS_VOLUME_API_VERSION=2

But inside newly created domain I can't create new project using user 'second'(i can only list projects)

$ openstack project list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 38d524581ac04832adaa2936c64e2fd6 | test1 |
+----------------------------------+-------+

$ openstack project create test2
You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-a760065a-1e79-4276-bc04-8d893f737f30)

I'm using this policy rules: https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json (https://raw.githubusercontent.com/ope...)

Could someone help me with this? I would be very grateful. I'm trying to fix this for few days but it doesn't bring any results :/

edit retag flag offensive close merge delete

2 answers

Sort by » oldest newest most voted
1

answered 2018-04-16 17:04:20 -0500

updated 2018-04-16 17:06:10 -0500

You need to set OS_DOMAIN_NAME or OS_DOMAIN_ID if you want to perform tasks in a domain context rather than a user or project context. Clearly, adding a project to a domain falls in this category.

Since you use the same domain for all three contexts, you can simplify this by simply setting OS_DEFAULT_DOMAIN.

See https://docs.openstack.org/python-ope....

edit flag offensive delete link more
0

answered 2018-04-17 04:32:07 -0500

Damian Dąbrowski gravatar image

updated 2018-04-17 04:50:21 -0500

Hi Bernd! Thanks for Your reply, You are always trying to help me, Thank You!

Unfortunately after changing env variables I still have this problem(I can list projects but I can't create new one) :/

I've tried using 2 sets of variables:

export OS_REGION_NAME=RegionOne
export OS_DOMAIN_ID=460383fc9c744ab085c5d6a7eb1e998f
export OS_IDENTITY_API_VERSION=3
export OS_PASSWORD=***
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://<my_ip>/identity/v3
export OS_USERNAME=second
export OS_VOLUME_API_VERSION=2
export OS_PROJECT_NAME=test1

and

export OS_REGION_NAME=RegionOne
export OS_DEFAULT_DOMAIN=460383fc9c744ab085c5d6a7eb1e998f
export OS_IDENTITY_API_VERSION=3
export OS_PASSWORD=***
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://<my_ip>/identity/v3
export OS_USERNAME=second
export OS_VOLUME_API_VERSION=2
export OS_PROJECT_NAME=test1
edit flag offensive delete link more

Comments

1

Try removing OS_PROJECT_NAME, or better: Only use the variables in the example at the end of page https://docs.openstack.org/python-ope....

And don't worry, the authentication parameters of the openstack client are black art to me as well.

Bernd Bausch gravatar imageBernd Bausch ( 2018-04-17 06:02:47 -0500 )edit

When setting only:DEFAULT_DOMAIN,PROJECT_NAME,IDENTITY_API_VERSION,OS_AUTH_URL,USERNAME

$ openstack project create test2
You are not authorized to perform the requested action: identity:create_project. (HTTP 403)

$ unset OS_PROJECT_NAME
$ openstack project create test2
The service catalog is empty
Damian Dąbrowski gravatar imageDamian Dąbrowski ( 2018-04-17 06:47:26 -0500 )edit

I will try this out myself in the morning.

Bernd Bausch gravatar imageBernd Bausch ( 2018-04-17 08:48:53 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-04-16 12:36:09 -0500

Seen: 153 times

Last updated: Apr 17 '18