[Havana][Domains] User Credentials invalid
Hello,
I followed this to create a domain_admin for more granular admin role with access to specific projects. I did the following using a client to interact with keystone api v3:
- Created 2 projects
- one for a regular user in the domain
- a default project for the domain_admin
- Created the domain to use
- Added the domain_id to the projects
- Created a regular user and a domain_admin user with the domain_id provided in the create call
- Granted roles to users in the domain:
- default Member role to the regular user
- domain_admin for the designated domain_admin user
- Granted roles to users in the projects:
- Member role to the regular user on it's own project
- domain_admin role to the domain_admin on the default project and the regular users project
Having done that, I assumed, that without having altered /etc/keystone/policy.json
yet, I'd be able to log in through the Horizon Dashboard using the regular User. As it has a default role, the System should allow me to login in.
Trying to get a token through the api does also no longer work:
Auth Failed: {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Unauthorized'}
I tried the same as the above, only in a different order of steps first.
- Create the projects
- Create the users
- Granting Member roles to both users in the respective projects
- At this point both users could login, i.e. to the Horizon Dashboard
- Then created the domain
- Updated the projects with the domain_id
- At this point, trying to login would yield
You are not authorized for any projects.
- At this point, trying to login would yield
- Updated the Users with the domain_id
- At this point, listing (or getting) the user, showed a column extras, that somehow contained the description and email address of the user. (The body for the update call was ok, don't know how this happend)
- At this point, I'd get
Invalid user name or password.
At that point I stopped.
Is this solely related to the fact, that anything domain related in the file /etc/keystone/policy.json
has the rule admin_required? How come I'm unable to login after setting domains up to use?
Any help is much appreciated. This is still on Ubuntu 13.10 with Havana/stable.
Regards, Phil
EDIT:
I just replaced the policy.json
file with the policy.v3cloudsample.json
file from the stable/havana
branch.
That results in:
2014-05-12 09:02:32.473 30777 ERROR keystone.openstack.common.policy [-] Failed to understand rule admin_on_project_filter
2014-05-12 09:02:32.473 30777 TRACE keystone.openstack.common.policy Traceback (most recent call last):
2014-05-12 09:02:32.473 30777 TRACE keystone.openstack.common.policy File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/policy.py", line 475, in _parse_check
2014-05-12 09:02:32.473 30777 TRACE keystone.openstack.common.policy kind, match = rule.split(':', 1)
2014-05-12 09:02:32.473 30777 TRACE keystone.openstack.common.policy ValueError: need more than 1 value to unpack
I'll have ...
Ok, there seems to be nothing else to configure.
policy.py
is expecting the rule to be notated as i.e.rule:admin_or_cloud_admin
. As string it can split using a colon as separator. I'll trypolicy.v3cloudsample.json
file from the master branch. Notation of rules seems to fit there.What type of token are you getting? You need to get domain scoped token to get it working.
What do you mean by I don't set domain_id for the user?
Can you also let me know how are you getting token? You have to use v3 api.
See updated question for answer. BTW, is this really the correct approach? Posting the relevant information to answer questions as an Update to the original one?
Sorry, I don't see where my post implied that. No, with the default policy.json in place, the scoped request does not return a token.