Ask Your Question

Can you help me with issues in "Defining Users, Tenants, and Roles" with CentOS / Havana installation?

asked 2013-11-11 07:42:00 -0500

susant gravatar image

updated 2013-11-20 14:31:08 -0500

smaffulli gravatar image

I am, very carefully, following directions for installing OpenStack Havana on CentOS following the official Install Guide

All is good until this command under the section "Defining Users, Tenants, and Roles":

# keystone user-role-add --user=admin --tenant=admin --role=admin

At this point, I get warnings starting with "Could not find user, admin" (see keystone.log below).

AND I cannot do a user-role-list:

# keystone user-role-list --user=admin
'Client' object has no attribute 'auth_tenant_id'

Do you know what I'm doing wrong?

# more /var/log/keystone/keystone.log

2013-11-08 10:14:32.860 16354 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/certs/cakey.pem 2048
2013-11-08 10:14:33.063 16354 INFO keystone.common.openssl [-] openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/certs/cakey.pem -out /
etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/
2013-11-08 10:14:33.099 16354 INFO keystone.common.openssl [-] openssl genrsa -out /etc/keystone/ssl/private/signing_key.pem 2048
2013-11-08 10:14:33.129 16354 INFO keystone.common.openssl [-] openssl req -key /etc/keystone/ssl/private/signing_key.pem -new -out /etc/keystone/ssl
/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Unset/L=Unset/O=Unset/
2013-11-08 10:14:33.141 16354 INFO keystone.common.openssl [-] openssl ca -batch -out /etc/keystone/ssl/certs/signing_cert.pem -config /etc/keystone/
ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/certs/cakey.pem -infiles /etc/keystone/ssl/certs/r
2013-11-08 10:17:23.522 16598 INFO keystone.common.environment [-] Environment configured as: eventlet
2013-11-08 10:17:24.104 16598 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on
2013-11-08 10:17:24.107 16598 INFO keystone.common.environment.eventlet_server [-] Starting /usr/bin/keystone-all on
2013-11-08 10:24:39.776 16598 WARNING keystone.common.wsgi [-] Could not find user, admin.
2013-11-08 10:24:39.799 16598 WARNING keystone.common.wsgi [-] Could not find role, admin.
2013-11-08 10:24:39.811 16598 WARNING keystone.common.wsgi [-] Could not find project, admin.

OS is: CentOS release 6.4 (Final)

# uname -a
Linux controller 2.6.32-358.18.1.el6_lustre.x86_64 #1 SMP Thu Sep 5 15:49:32 PDT 2013 x86_64 x86_64 x86_64 GNU/Linux

# yum list|grep keystone
openstack-keystone.noarch               2013.2-1.el6                   @openstack-havana
python-keystone.noarch                  2013.2-1.el6                   @openstack-havana
python-keystoneclient.noarch            1:0.4.1-3.el6                  @openstack-havana
edit retag flag offensive close merge delete


Were you able to successfully run the `tenant-create` and `user-create` commands in that document? Can you show the output of `keystone user-list` and `keystone tenant-list`?

larsks gravatar imagelarsks ( 2013-11-11 11:16:59 -0500 )edit

Both 'tenant-create` and `user-create` commands were successful before doing the 'user-role-add'. keystone user-list +----------------------------------+-------+---------+----------------------+ | id | name | enabled | email | +----------------------------------+-------+---------+----------------------+ | b5f04ebb7102465a9a8044a5df248fd4 | admin | True | <my email="" address=""> | +----------------------------------+-------+---------+----------------------+ [root@ib2 ~]# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | a2c8448650b74067ad975d4fab931ae9 | admin | True | | 3da30e1f72034d668c4042abf83dba50 | service | True | +----------------------------------+---------+---------+

susant gravatar imagesusant ( 2013-11-11 11:42:43 -0500 )edit

Can you try with the admin user and password instead of admin token? I get the same error as you if I use the token, but it works if I use the admin password. Just make sure to unset the token and service endpoint variables. Bug perhaps.

serverascode gravatar imageserverascode ( 2013-11-11 14:25:23 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2014-07-08 04:39:44 -0500

updated 2014-07-08 04:49:36 -0500


Related to your debug infos, here is a tip that comes a bit late, but could help other so I'm going anyway:

With keystone, if you don't specify tenants and users BY THEIR IDs when running commands such as keystone user-role-list you systematically get those WARNING keystone.common.wsgi [-] Could not find user | projects ect.

Althought I'm using IceHouse (2014.1.1.1), this behavior doesn't seems to change from release to release, and I've noticed it on both Debian Wheezy and Ubutunu 14.04 LTS.

I don't know why it occurs thought, but you can get ride of this kind off "false positif" by using --user-id, --tenant-id and so on.

Those warnings got me rolling for a while, hope this spare some people's time.


edit flag offensive delete link more

answered 2013-11-20 16:36:57 -0500

updated 2013-11-20 17:25:08 -0500

sgordon gravatar image
edit flag offensive delete link more

answered 2014-08-20 20:01:19 -0500

z900collector gravatar image

It appears that basic create command work without ID's and any kind of complex listing command requires ID values: so ]# keystone user-role-list --user admin --tenant admin usage: keystone user-role-list [--user-id <user-id>] [--tenant-id <tenant-id>] keystone user-role-list: error: ambiguous option: --user could match --user-id, --user_id [root@sid ~]#


keystone user-role-list --user-id=e6646da8c9a143269a4cd33e4d838760 --tenant-id=1129f3c0e1c948fe83c1484f68abd65e

WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +----------------------------------+-----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-----------+----------------------------------+----------------------------------+ | b2eaf86a2d094e9c94d0cd1439cd0bca | _members_ | e6646da8c9a143269a4cd33e4d838760 | 1129f3c0e1c948fe83c1484f68abd65e | +----------------------------------+-----------+----------------------------------+----------------------------------+ [root@sid ~]#

Works Fine with ID's only

Suggestion for whoever maintains this - the keystone program does not match the installation documentation and with the identity installation being one of the first steps this makes the product look like a piece of homebrew crap...

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-11-11 07:42:00 -0500

Seen: 1,304 times

Last updated: Jul 08 '14