Conflict occured attemtping to store role grant

asked 2014-07-30 04:40:35 -0600

Robert gravatar image

I am folowing this installation guide: in I have come to add tole to the user:

 keystone user-role-add --user=glance --tenant=service --role=admin

And I get some conflict:

Conflict occured attemtpinh to store role gratn. User c4ea525a5710473eb03a674c0afec045 already has role    2af68cff483546278eec63d743a2b7c2 in tenant da83c962081f465381e6106748d731a.

That means one user can have tenant=service or can all users (OpenStack services - nova, swift,etc) have same tenant (tenant=service)? How can I chehc if I have add roles to some users, tenanta and os on? In wich relations (one service s1 can have more tenants t1, t2 ,t2 ; one user u1 can have servce s1, etc) are users, roles, tenants, services, etc?

User, services and tenant that I have create so far:

$keystone user-list
                    id           name  eabled   email
60f1ea0750844b992600998a441cb24   admin    True

$keystone role-list
                      id             name
9fe2ff9ee4384b1894a90878d3e92bab   _member_
2af68cff483546278eec63d743a2b7c2   admin

$keystone service-list
              id                     name      type       description
23a41691715b4a4581e3ad7e1620977c    glance     image    OpenStack Image Service
c93683017ec8461cbabb8f7466deef0c     keystone identity  OpenStack Identity 

$keystone tenant-list
                  id                   name    enabled
2e2a2d61c8fb4de0932347ca8c6b78b2       admin   True
32070f16d71f4c30a2cfca25298e9f59        demo    True
da83c962081f465381e61067481d731a      service  True
edit retag flag offensive close merge delete


How can I check whcih roles are aisgned to whom?

Robert gravatar imageRobert ( 2014-07-30 05:04:03 -0600 )edit

You can get that info with keystone user-role-list command: here keystone client commands reference guide.

Antonio G. gravatar imageAntonio G. ( 2014-07-30 08:04:00 -0600 )edit

What do you think Antonio G. what what could be reason for this conflict or even better question is: What are the relations betwen users, admins, tenants, roles and services. Let's say should one service have all tenants or should one service have one own tenant. Is there any referenc for this relations?

Robert gravatar imageRobert ( 2014-07-30 08:24:26 -0600 )edit

Yes I removed role and add role without any conflicts now. I probably have added role before and than I forgot about it. This installation guide is a bit confusing.

Robert gravatar imageRobert ( 2014-07-30 09:39:17 -0600 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-07-30 09:08:40 -0600

updated 2014-07-30 09:09:14 -0600

Hi Robert, if glance user already has that role you should get that error. Probably you already sent that command; I think if you perform a user-role-remove command and then again a user-role-add command you should not get that conflict error.

Try reading this for user management purposes (it also explains what roles or tenants really mean)

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-07-30 04:40:35 -0600

Seen: 133 times

Last updated: Jul 30 '14