Ask Your Question
0

keystone user-list doesn't work

asked 2014-06-16 12:32:32 -0500

matarazzoangelo gravatar image

Following Icehouse installation i http://docs.openstack.org/icehouse/install-guide/install/apt/content/keystone-verify.html (http://docs.openstack.org/icehouse/in...) I verified Keystone installation carrying out this keystone --os-username=admin --os-password={password} --os-auth-url=http://controller:35357/v2.0 --os-tenant-name=admin token-get It works fine.

I carried out this instruction

keystone --os-username=admin --os-password={password} --os-auth-url=http://controller:35357/v2.0 --os-tenant-name=admin user-list but this error message appears :

You are not authorized to perform the requested action, admin_required. (HTTP 403) What is wrong?

I unsetted OS_SERVICE_TOKEN=ADMIN_TOKEN OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

and

OS_USERNAME=admin OS_PASSWORD=ADMIN_PASS OS_TENANT_NAME=admin OS_AUTH_URL=http://controller:35357/v2.0

This is output with --debug option DEBUG:keystoneclient.session:REQ: curl -i -X POST http://controller:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "password"}}}' INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 2361 DEBUG:keystoneclient.session:RESP: [200] CaseInsensitiveDict({'date': 'Mon, 16 Jun 2014 17:23:46 GMT', 'vary': 'X-Auth-Token', 'content-length': '2361', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'}) RESP BODY: {"access": {"token": {"issued_at": "2014-06-16T17:23:46.561543", "expires": "2014-06-16T18:23:46Z", "id": "MIIEtQYJKoZIhvcNAQcCoIIEpjCCBKICAQExCTAHBgUrDgMCGjCCAwsGCSqGSIb3DQEHAaCCAvwEggL4eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0xNlQxNzoyMzo0Ni41NjE1NDMiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTE2VDE4OjIzOjQ2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjFiYjBkYmM0ZjBhMzRiOWRhOTIxYjUyY2MwY2ViNzEyIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiMGE1NTM2MGQ4OWJlNDJkOTg0M2U3ZmU1ZDAzMTllNDAiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImZkY2UwOTU2YjIyZjRkYjk5ODA1NzBlN2YwZjYzMTg4IiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQCLHXS-kUEiZuuQXh2XumA3mfnux9a7Rwrs+aOWJkIzA3mEMw+5hamNmmuczt-H5ZDxvADHiDEHsQihipkNrGL48Q1lozg0UYm0wz0PF9z+0XkJ1yz4nwM+2sAeykIpNs7jGcqzfaaLcsq6mVu7JX3vFJaR8Xe5RMLJeReD2PftnlWux-apFSV1cJvT7qS8srKZ8YlGi9AwDW1g5v20XRYmg9iHLlUQAOB3YuJrvvw5p2PJmycLbgTD-FtbBzNaNNsgoNPvt9hTyrlSn88M5wY5d+L4dvNTYoPbDpa4O9jJhxJ4cKjZMU6zr1CV5E5eCnTIACsq3M-gwgVvhA9q9E+L", "tenant": {"description": "Admin Tenant", "enabled": true, "id": "1bb0dbc4f0a34b9da921b52cc0ceb712", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://controller:35357/v2.0", "region": "regionOne", "internalURL": "http://controller:5000/v2.0", "id": "0a55360d89be42d9843e7fe5d0319e40", "publicURL": "http://controller:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "fdce0956b22f4db9980570e7f0f63188", "roles": [{"name": "_member_"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["9fe2ff9ee4384b1894a90878d3e92bab"]}}}

DEBUG:iso8601.iso8601:Parsed 2014-06-16T18:23:46Z into {'tz_sign': None, 'second_fraction': None, 'hour': u'18', 'daydash': u'16', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'46', 'tz_minute': None, 'year': u'2014', 'separator': u'T', 'monthdash': u'06', 'day': None, 'minute': u'23'} with default timezone DEBUG:iso8601.iso8601:Got u'2014' for 'year' with default None DEBUG:iso8601.iso8601:Got u'06' for 'monthdash' with default 1 DEBUG:iso8601.iso8601:Got 6 for 'month' with default 6 DEBUG:iso8601.iso8601:Got u'16' for 'daydash' with default 1 DEBUG:iso8601.iso8601:Got 16 for 'day' with default 16 DEBUG:iso8601.iso8601:Got u'18' for 'hour' with default None DEBUG:iso8601.iso8601:Got u'23' for 'minute' with default None DEBUG:iso8601.iso8601:Got u'46' for 'second' with default None DEBUG:keystoneclient.session:REQ: curl -i -X GET http://controller:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: MIIEtQYJKoZIhvcNAQcCoIIEpjCCBKICAQExCTAHBgUrDgMCGjCCAwsGCSqGSIb3DQEHAaCCAvwEggL4eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0xNlQxNzoyMzo0Ni41NjE1NDMiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTE2VDE4OjIzOjQ2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjFiYjBkYmM0ZjBhMzRiOWRhOTIxYjUyY2MwY2ViNzEyIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiMGE1NTM2MGQ4OWJlNDJkOTg0M2U3ZmU1ZDAzMTllNDAiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImZkY2UwOTU2YjIyZjRkYjk5ODA1NzBlN2YwZjYzMTg4IiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQCLHXS-kUEiZuuQXh2XumA3mfnux9a7Rwrs+aOWJkIzA3mEMw+5hamNmmuczt-H5ZDxvADHiDEHsQihipkNrGL48Q1lozg0UYm0wz0PF9z+0XkJ1yz4nwM+2sAeykIpNs7jGcqzfaaLcsq6mVu7JX3vFJaR8Xe5RMLJeReD2PftnlWux-apFSV1cJvT7qS8srKZ8YlGi9AwDW1g5v20XRYmg9iHLlUQAOB3YuJrvvw5p2PJmycLbgTD-FtbBzNaNNsgoNPvt9hTyrlSn88M5wY5d+L4dvNTYoPbDpa4O9jJhxJ4cKjZMU6zr1CV5E5eCnTIACsq3M-gwgVvhA9q9E+L" INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 DEBUG:urllib3.connectionpool:"GET /v2.0/users HTTP/1.1" 403 132 DEBUG:keystoneclient.session:RESP: [403] CaseInsensitiveDict({'date': 'Mon, 16 Jun 2014 17:23:46 GMT', 'vary': 'X-Auth-Token', 'content-length': '132', 'content-type': 'application/json', 'x-distribution': 'Ubuntu'}) RESP BODY: {"error": {"message": "You are not authorized to perform the requested action, admin_required ... (more)

edit retag flag offensive close merge delete

Comments

Verify that the openstack-keystone service is running and that iptables is configured to allow connections on ports 5000 and 35357.

dbaxps gravatar imagedbaxps ( 2014-06-16 12:46:20 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-06-16 13:07:48 -0500

Try keystone user-role-list --user admin --tenant admin. Most probably you don't have role association between the tenant "admin" and the user "admin".

If you don't see role -assocation, add the "admin" role using keystone user-roll-add

edit flag offensive delete link more

Comments

You are right. Thank you a lot!! Now it works so I tried
keystone --os-username=admin --os-password={password} --os-auth-url http://controller:35357/v2.0 endpoint-list but nothing appear. This command works: keystone --os-endpoint=http://controller:35357/v2.0 --os-token=3735e8c22c452312a27e endpoint-list So I think that -os-token is more powerful than authentication credential. Is it right? Thanks in advance

matarazzoangelo gravatar imagematarazzoangelo ( 2014-06-17 02:16:53 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-06-16 12:32:32 -0500

Seen: 976 times

Last updated: Jun 16 '14