Ask Your Question
0

Getting an authentication token for tenant using admin credentials (DevStack works, RDO fails)

asked 2015-10-04 03:25:17 -0500

Matt G gravatar image

I'm writing some automation scripts that instantiate Nova servers on behalf of tenants using the python-keystoneclient to perform authentication and authorization. These scripts work fine on a DevStack installation but fail on RDO because of an inability to get an authentication token for a tenant using the admin credentials.

The issue can be demonstrated with the following code...

#!/usr/bin/env python

from keystoneclient.v2_0 import client as keystone_client

def get_keystone_client(user, password, tenant):
    params = {
        "username": user,
        "password": password,
        "tenant_name": tenant,
        "auth_url": "http://localhost:35357/v2.0"
    }
    return keystone_client.Client(**params)

tests = [
    {"user": "admin", "password": "password", "tenant": "admin"},
    {"user": "admin", "password": "password", "tenant": "tenant1"},
    {"user": "tenant1-user", "password": "password", "tenant": "tenant1"}
]

for test in tests:
    print "Attempting authentication for tenant %s by user %s" % (
        test['tenant'], test['user']
    ),
    try:
        ks = get_keystone_client(**test)
        print "Authorized"
    except:
        print "Denied"

On DevStack, the following output is produced...

Attempting authentication for tenant admin by user admin Authorized
Attempting authentication for tenant tenant1 by user admin Authorized
Attempting authentication for tenant tenant1 by user tenant1-user Authorized

However, when I run the same script on an RDO installation with the same tenants/users/roles configured, authentication for tenant1 fails when using the admin user credentials....

Attempting authentication for tenant admin by user admin Authorized
Attempting authentication for tenant tenant1 by user admin Denied
Attempting authentication for tenant tenant1 by user tenant1-user Authorized

I have compared the Keystone configurations on the two installations and I can't see anything that suggests it might cause this difference. I've also tried using the Keystone port 5000 endpoint, the Keystone v3 client, and plain Keystone REST requests, all with the same result.

Does anyone have any idea which setting (assuming it's a setting!?) is causing this disparity? It's something of a blocker for our workflow.

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2015-10-23 10:02:30 -0500

Matt G gravatar image

For anyone who comes across the same issue, the cause of the symptoms was that DevStack automatically adds the "admin" user to the tenants it creates whereas RDO does not. The fix, therefore, is to add the "admin" user to the tenant in Horizon (couldn't see a way to do it with the CLI) manually.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-10-04 03:25:17 -0500

Seen: 545 times

Last updated: Oct 23 '15