Ask Your Question
0

[neutron][keystone]403 error while getting tenant list using neutron user

asked 2015-01-22 22:22:43 -0500

neutronuser gravatar image

Hi,

I'm using devstack setup for my experiments. Since Juno release, keystone client is throwing 403 error when I request tenants list using neutron user. I see, neutron user only have service & member roles and no more admin role! Is this role change intentional and why? I am writing ml2 mechanism driver and I need to get tenant name for given tenant id. Is there a way to get this? or do I need to change role policy or add admin role to neutron?

Thanks.

command line test: keystone --os-tenant-name service --os-username neutron --os-password password --os-auth-url http://192.168.60.143:35357/v2.0 tenant-list You are not authorized to perform the requested action: admin_required (Disable debug mode to suppress these details.) (HTTP 403)

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-01-23 00:18:00 -0500

tenant-list is only exposed on keystone admin port (35357) so the user that is doing a tenant-list needs to have the admin context (have the admin role).

Even the /v3 api needs admin context.

http://developer.openstack.org/api-re...

{
    "projects": [
        {
            "domain_id": "--domain-id--",
            "enabled": true,
            "id": "--project-id--",
            "links": {
                "self": "http://identity:35357/v3/projects/--project-id--"
            },
            "name": "a project name"
        },
        {
            "domain_id": "--domain-id--",
            "enabled": true,
            "id": "--project-id--",
            "links": {
                "self": "http://identity:35357/v3/projects/--project-id--"
            },
            "name": "another project"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/projects",
        "previous": null,
        "next": null
    }
}
GET
edit flag offensive delete link more

Comments

Yes, neutron user used to have admin role before Juno. I'm wondering, Why it is removed now? Is it safe to assign admin role to neutron user to make my code work? I see, few other plugins also getting tenants-list using neutron user. I wonder how they are working around it.

neutronuser gravatar imageneutronuser ( 2015-01-23 09:18:18 -0500 )edit

All service accounts need admin role. Not sure how you installed but add amin role to neutron and done. http://docs.openstack.org/juno/instal...

sfcloudman gravatar imagesfcloudman ( 2015-01-23 10:31:28 -0500 )edit

Thanks sfcloudman. I used devstack to install. I see glance and neutron don't have admin roles. May, it is devstack issue. Thanks.

neutronuser gravatar imageneutronuser ( 2015-01-23 11:27:35 -0500 )edit

Probably related to devstack. I'd admin the admin role to those users.

sfcloudman gravatar imagesfcloudman ( 2015-01-24 12:18:04 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-01-22 22:22:43 -0500

Seen: 398 times

Last updated: Jan 23 '15