Error about "Specifying 'tenant_id' other than authenticated tenant in request requires admin privileges"

asked 2013-02-23 07:08:06 -0600

digitalwonk gravatar image

I attempted to setup an initial quantum network according to the following link:

http://docs.openstack.org/trunk/openstack-network/admin/content/demo_logical_network_config.html (http://docs.openstack.org/trunk/opens...)

However, when I execute the quantum command to create an network for a tenant using the following command:

quantum net-create --tenant-id db6ffb835f294f86978888dc65b59b0b net1 --provider:network_type vlan --provider:physical_network physnet1 --provider:segmentation_id 1

I get the following error:

Specifying 'tenant_id' other than authenticated tenant in request requires admin privileges

My question is what user do I use or how do I give it "admin" privileges? I attempted to use the quantum admin user and the nova admin user that were created in the keystone services and endpoints. The quantum admin user and nova admin user are also specified in the api-paste.ini, such as the following:

/etc/quantum/api-paste.ini

[filter:authtoken] admin_tenant_name = service admin_user = quantum_user admin_password = quantum_user_somepass

/etc/nova/api-paste.ini

[filter:authtoken] admin_tenant_name = service admin_user = nova_user admin_password = nova_user_somepass

I have added these users as admin roles in the tenant that is declared with "tenant-id" parameter in the net-create command.

Thank you in advance for any tips.

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2013-02-23 11:48:15 -0600

Hi,

You are running quantum client with the user other than the tenant you trying to create a net for. You should either run quantum client as admin user (e.g. the user that has associated admin role in keystone) or use username/password of tenant user for which you're creating a network.

If it doesn't solve your question than please provide output of keystone tenant-list, keystone user-list and keystone role-list commands.

edit flag offensive delete link more
0

answered 2013-02-23 18:22:37 -0600

digitalwonk gravatar image

I was able to finally execute the command _after_ I created a role that was named "admin" (the assumed role name from a stock installation), added the quantum_user to that role for the "service" tenant, and and finally reverting the /etc/quantum/policy.json to reflect the assumed role name.

My original /etc/quantum/policy.json had:

"admin_or_owner": [["role:adminrl"], ["tenant_id:%(tenant_id)s"]],
"admin_or_network_owner": [["role:adminrl"], ["tenant_id:%(network_tenant_id)s"]],
"admin_only": [["role:adminrl"]],

And the policy.json reversion was (that worked):

"admin_or_owner": [["role:admin"], ["tenant_id:%(tenant_id)s"]],
"admin_or_network_owner": [["role:admin"], ["tenant_id:%(network_tenant_id)s"]],
"admin_only": [["role:admin"]],

Note: the other services (nova, glance, etc) seem to support the renamed role name after modifying the corresponding policy.json. Did I miss changing the admin role somewhere else for quantum? Could this be a bug? While minor, it would still be nice to support role names that are different.

Thank you, Edwin

edit flag offensive delete link more
0

answered 2013-03-04 19:51:53 -0600

digitalwonk gravatar image

Just adding a comment to report that my previous comment solved it.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-02-23 07:08:06 -0600

Seen: 1,168 times

Last updated: Mar 04 '13