Ask Your Question
0

Can user with _member_ role, non-admin launch instance in External Network ? How ?

asked 2014-08-19 06:14:23 -0500

muthusugi gravatar image

updated 2014-08-21 05:48:11 -0500

Hi, I am trying to make tenants and give access to users. I cannot give them admin role as they could mess-up with networks and images.

But now the instance cannot be launched by other user who dont have admin role. I have not modified the default policy.json file of nova.

API Errror: Unauthorized. Please try logging in again.

Token Get debug Command : keystone --debug --os-username=develop1 --os-password=develop_pass --os-tenant-name=develop1 --os-auth-url=http://controller:35357/v2.0 token-get

Token Get Error is in link :  http://pastebin.com/Sh7AuFgJ

I use Icehouse in Ubuntu-12.04.

UPDATE : Can user with _member_ role create interface in External Network ?

Hello guys, It is a problem of "It is not allowed to create an interface on external network", I found it by booting from Command-line nova boot.

With Internal Network things are working fine.

  1. Can i Change this behaviour ? Do Making external network to internal network will create some problems ? Actually i can't do this.
  2. Also Now i cannot change shared option of External-Network in api. How can i revert my do ?

I See in https://wiki.openstack.org/wiki/Neutron/sharing-model-for-external-networks (https://wiki.openstack.org/wiki/Neutr...)

Decoupling 'shared' from 'external' : won't work

If this is True, if a normal user try's to boot in this ext-network he will fail in booting. How to Prevent this ?

edit retag flag offensive close merge delete

Comments

Is this Normal Behaviour ? or It is an Error ? Please tell this.... Thanks.

muthusugi gravatar imagemuthusugi ( 2014-08-19 11:17:50 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-08-20 09:26:39 -0500

dbaxps gravatar image

updated 2014-08-20 09:32:04 -0500

Creating user :-

$ . keystonerc_admin

  $ keystone user-create --name boris --pass fedora
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |                                  |
  | enabled  |               True               |
  |    id    | 1c18b2231aa34dbe9c31cd390aaedb42 |
  |   name   |             boris              |
  +----------+----------------------------------+

  $ keystone role-create --name user
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |    id    | 6fac6b1cd0c24ba0a949d12acc757311 |
  |   name   |               user               |
  +----------+----------------------------------+

  $ keystone tenant-create --name ostenant
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
  +-------------+----------------------------------+
  |   Property  |              Value               |
  +-------------+----------------------------------+
  | description |                                  |
  |   enabled   |               True               |
  |      id     | 2c845a6ad20e45ccb0b045cee27a9661 |
  |     name    |             ostenant             |
  +-------------+----------------------------------+

  $ keystone user-role-add --user boris \
  --role user --tenant ostenant
  WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).

  $ cat >> ~/keystonerc_boris <<EOF
  export OS_USERNAME=boris
  export OS_TENANT_NAME=ostenant
  export OS_PASSWORD=fedora
  export OS_AUTH_URL=http://192.168.1.127:35357/v2.0/
  export PS1='[\u@\h \W(keystone_boris)]\$ '
  EOF

Sourcing rc file :-

[root@icehouse1 ~(keystone_boris)]# keystone token-get
+-----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Another option :-

[root@icehouse1 ~]# keystone --os-username=boris --os-password=fedora --os-tenant-name=ostenant --os-auth-url=http://192.168.1.127:35357/v2.0 token-get
+-----------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
edit flag offensive delete link more

Comments

Hi, Thanks for answering. But my situation seems different, I am not allowed to create interface on external network. i.e., user with default _member_ role can't. Sorry for any misdirection in question, now i updated the question.

muthusugi gravatar imagemuthusugi ( 2014-08-20 09:34:04 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-08-19 06:14:23 -0500

Seen: 558 times

Last updated: Aug 21 '14