Ask Your Question
1

Openstack Havana - Ldap / MySQL authentication "You are not authorized for any projects."

asked 2014-06-19 09:10:46 -0600

m9adevip gravatar image

updated 2014-06-19 15:38:06 -0600

smaffulli gravatar image

We have stood up Openstack Havanna instance and have had it configured to use only the MySQL database to do authentication. Due to the large nature of the organization we work in we want to switch this idenity management component of Openstack to LDAP but keep the project administration within the mysql db. We have followed the documentation on the Openstack guide to configure our ldap connection but we keep getting "You are not authorized for any projects." when we attempt to login to the Horizon page. Also we see multiple unauthorized for tenenat xxxxx in the log for the service accounts (nova, neutron, glance, cinder, etc). So it appears that our configurations allow us to read the ldap server but something is missing in the configuration to allow us to access the projects. Is there a post configuration step that needs to be taked to assign the ldap user to a project?

keystone.log snippet

`WARNING keystone.token.controllers [-] User neutron is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User nova is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User glance is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User admin is unauthorized for tenant cbf630efcfda4aee82dd56fa7d86b270`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`
`WARNING keystone.token.controllers [-] User cinder is unauthorized for tenant f8d9c29469ac4de2897f1f3d6eb9a296`
`WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 127.0.0.1`

Keystone.conf file

[DEFAULT]
# A "shared secret" between keystone and other openstack services
# admin_token = ADMIN
admin_token = password

# The IP address of the network interface to listen on
# bind_host = 0.0.0.0
bind_host = 0.0.0.0

# The port number which the public service listens on
# public_port = 5000
public_port = 5000

# The port number which the public admin listens on
# admin_port = 35357
admin_port = 35357

# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
# public_endpoint = http://localhost:%(public_port)s/
# admin_endpoint = http://localhost:%(admin_port)s/

# The port number which the OpenStack Compute service listens on
# compute_port = 8774
compute_port = 8774

# Path to your policy definition containing identity actions
# policy_file = policy.json

# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required

# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants.  After migration, the member_role_id will be used in ...
(more)
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-06-19 10:32:32 -0600

mpetason gravatar image

updated 2014-06-19 11:09:46 -0600

Based on the error messages it looks like the service accounts were not added to AD. When you move users off of SQL and into AD you also have to setup the service accounts. You'll need to setup all of the service accounts and match the passwords you are currently using for your keystone auth_tokens in your configuration files.

After that you just need to make sure that you are using the correct search strings to match users. The Service accounts should be findable in the search string you have for users.

After that you also need to setup all of your users in AD such as "admin."

Then you have to remap all of the users to the correct roles for the correct tenants:

keystone user-role-add = ..... The commands that match this.

See if that helps out.

edit flag offensive delete link more
add a comment
0

answered 2014-07-10 12:26:43 -0600

DeepVish gravatar image

First create user for each service in ldap, like i have created one for swift.

[root@swiftProxyNode ~]# keystone user-list +------------+------------+---------+-----------------------------------+ | id | name | enabled | email | +------------+------------+---------+-----------------------------------+ | swift | swift | | swift.users@keystoneldap.com |

I think you already have role and tenant created in ldap. Now map service users(eg swift) into tenant with role "admin" using user-role-add command or you can directly add this on ldap server. You can create separate tenant named as "service" to keep all service user into it. This will help in keeping configuration simple and clean. if you dont want to create extra tenant then you can add these service users into any tenant with role "admin".

keystone user-role-add --user=swift --tenant=service --role=admin

[root@swiftProxyNode ~]# keystone user-role-list --user swift +-------+-------+---------+-----------+ | id | name | user_id | tenant_id | +-------+-------+---------+-----------+ | admin | admin | swift | service | +-------+-------+---------+-----------+

now in configuration of each service you need to add details of service users, like i added for swift in proxy-server.conf

[filter:authtoken] paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory admin_tenant_name = service admin_user = swift admin_password = Password

After restarting the services everything should work fine.

Hope this is userful.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-06-19 09:10:46 -0600

Seen: 3,596 times

Last updated: Jul 10 '14

Related questions

openstack group contains user command returns empty on LDAP groups

Keystone LDAP integration [closed]

my nova doesn't work now, shows url's project_id doesn't match context's project_id. The url's project_id I thought is the role of admin added to the nova at tenant service, but my question is, how can I check the "context's project_id"?

A massive 35GB keystone/token.ibd, what happened?

How to change Keystone

stack created but not showing on horizon(UI)

How do I restart a devstack VM?

keystone via httpd and remote_user

cinder mysql connection failed errno 113

OSAD Install - KeyStone HTTPS