Ask Your Question

Keystone user-role-add : HTTP 409

asked 2015-02-25 20:19:21 -0500

ALU.RDC gravatar image

updated 2015-02-25 20:37:34 -0500

Hey everyone, I have another ticket open, but I'm not sure if the two issues are related... This is my issue. I have keystone setup, but my glance setup has been giving me a lot of grief.

Basically when I run glance commands such as: glance index ID Name Disk Format Container Format Size

Request returned failure status. Invalid OpenStack Identity credentials.

I get the identity credentials error...

My first question is this...I am running OpenSuSE 13.1. I have run an update on all my repos. But whenever I uninstall and then reinstall openstack-keystone with the newest most up to date version, I get the keystone.conf that is in this format:

verbose = True
log_file = keystone.log
log_dir = /var/log/keystone
# A "shared secret" between keystone and other openstack services
admin_token = 63d9bcc957b5bc12c568
# The IP address of the network interface to listen on
bind_host =

# The port number which the public service listens on
public_port = 5000

# The port number which the public admin listens on
admin_port = 35357

# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
#public_endpoint = http://localhost:%(3306)s/
#admin_endpoint = http://localhost:%(3306)s/

# The port number which the OpenStack Compute service listens on
compute_port = 8774

# Path to your policy definition containing identity actions
policy_file = policy.json

# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
policy_default_rule = admin_required

# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants.  After migration, the member_role_id will be used in the API
# add_user_to_project, and member_role_name will be ignored.
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# member_role_name = _member_

# enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)
# max_request_body_size = 114688

# limit the sizes of user & tenant ID/names
# max_param_size = 64

# similar to max_param_size, but provides an exception for token values
# max_token_size = 8192

# === Logging Options ===
# Print debugging output
# (includes plaintext request logging, potentially including passwords)
debug = True

# Print more verbose output
verbose = True

# Name of log file to output to. If not set, logging will go to stdout.
log_file = keystone.log

# The directory to keep log files in (will be prepended to --logfile)
log_dir = /var/log/keystone

# Use syslog for logging.
# use_syslog = False

# syslog facility to receive log lines
# syslog_log_facility = LOG_USER

# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
# log_config = logging.conf

# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

# Format string for %(asctime)s in log records.
# log_date_format = %Y-%m-%d %H:%M:%S

# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd ...
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-02-26 10:57:39 -0500

ALU.RDC gravatar image

updated 2015-02-26 11:06:26 -0500

hmm ok you're right in that using the --user glance --tenant service shows the role..but why doesn't doing just a keystone user-role-list' show all user's roles?

edit flag offensive delete link more

answered 2015-02-25 20:56:10 -0500

updated 2015-02-25 20:56:37 -0500

HTTP 409 is conflict, that means you already have that role for that user.

Always use explict argument for any keystone commands. You are using keystone user-role-list. Most probably this is going to list roles for the user in the environment variable.

usage: keystone user-role-list [--user <user>] [--tenant <tenant>]

List roles granted to a user.

  --user <user>, --user-id <user>
                        List roles granted to specified user.
  --tenant <tenant>, --tenant-id <tenant>
                        List only roles granted on specified tenant.

Try keystone user-role-list --user glance --tenant service to check the roles for the glance user

edit flag offensive delete link more


It is user-role-list and not users-role-list. So it is listing all roles for a given user. Also role assignment is a tuple of ( user, role, tenant). So you need tenant besides user to list roles

Haneef Ali gravatar imageHaneef Ali ( 2015-02-26 12:12:54 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-02-25 20:19:21 -0500

Seen: 621 times

Last updated: Feb 25 '15