Ask Your Question
1

HTTP 403 in Keystone /v3/users

asked 2016-11-02 12:36:42 -0500

RichArt gravatar image

updated 2016-11-09 08:11:09 -0500

I am developing my own OpenStack project in Python.

I first get the security token from the Identity API /v3/auth/tokens.

Then, when calling the http://developer.openstack.org/api-ref/identity/v3/ (Identity API /v3/users), with the token I got from the previous request, I get a 403 error.

I always use the admin user. The token is the X-Subject-Token and looks like this:

gAAAAABYGg-IgD17smiX_xiMsuylsKljMU2-lIf0AvYwQBruKPMvaI3gyRj_sDuUJDmqvDOQXyiSaOYZVagD3aaykBMS-nqiT8RMKWIUpN-V3hP2gAdjS-a4VqtIxPfusDmeXE4zcoRYkQPXk8r2J4waaZE1AJbeNg

This is the error from /v3/users:

{"error": {"message": "You are not authorized to perform the requested action: identity:list_users", "code": 403, "title": "Forbidden"}}

It works only if I change the line

"identity:list_users": "rule:admin_required"

int the file /etc/keystone/policy.json to:

"identity:list_users": ""

But I think this is not the right way.

Anybody some idea what the problem could be?


Update Nov. 9, 2017:

This is how I authenticate: Password authentication with unscoped authorization

url = 'http://openstack-controller:35357/v3/auth/tokens'
payload = {
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": "admin",
                    "domain": {
                        "name": "default"
                    },
                    "password": "PASSWORD"
                }
            }
        }
    }
}
r = requests.post(url, data=json.dumps(payload))
edit retag flag offensive close merge delete

Comments

1

How do you authenticate, can you provide details? You need to provide the Default domain and/or the admin project. Details at http://developer.openstack.org/api-gu....

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-08 17:39:41 -0500 )edit

You use "domain" : { "name": "default" }. I think the name is actually Default (capitalized), or you could use "id": "default".

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-09 21:31:46 -0500 )edit

The first curl gives a 400 error: Expecting to find identity in auth - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error. I guess it is a bit outdated.

RichArt gravatar imageRichArt ( 2016-11-10 14:41:17 -0500 )edit

I think this is the current request structure: http://developer.openstack.org/api-re... But still, the problem is: How do I get the project ID? Initially I only have user/pw

RichArt gravatar imageRichArt ( 2016-11-10 14:43:01 -0500 )edit
1

You can also use the project name. See the link I posted in the first comment.

Bernd Bausch gravatar imageBernd Bausch ( 2016-11-10 20:55:50 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
2

answered 2016-11-08 11:58:39 -0500

volenbovsky gravatar image

Hi, maybe that is scoped vs. unscoped token. Basically in case your user doesn't have default domain defined, there is chance that you got unscoped token. One of way of checking whether you have scoped or unscoped is via response that you get on your POST to tokens or using HTTP GET on /v3/auth/tokens. I think you should have (assuming that you are not using something more complicated domain-wise) "domain": { "id": "default", "name": "Default" or project information

edit flag offensive delete link more

Comments

So, should I do a scoped authentication? I thought that if I did an unscoped authentication then I could access to everything.

RichArt gravatar imageRichArt ( 2016-11-09 08:13:29 -0500 )edit
1

Hi, no with unscoped token you actually ca not do anything. See http://docs.openstack.org/admin-guide/identity-tokens.html (http://docs.openstack.org/admin-guide...)

volenbovsky gravatar imagevolenbovsky ( 2016-11-09 09:14:43 -0500 )edit

OK, this seams to be the solution. But If I have an unscoped token, how can i get the list of projects? I mean, I need a scoped token to get a list of projects. But on the other side I need a project ID to get the scoped token.

RichArt gravatar imageRichArt ( 2016-11-10 07:58:32 -0500 )edit

See above comment of Bernd, try to use default or Default as domain ID/domain name respectively

volenbovsky gravatar imagevolenbovsky ( 2016-11-10 12:15:37 -0500 )edit

It seams that Default or default doesn't make any difference. Initially I only have username and password. And I need a token to access the Nova API. But as I understood I need the domain or project ID to get a scoped token. But where do I get those IDs?

RichArt gravatar imageRichArt ( 2016-11-10 14:48:08 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-11-02 12:36:42 -0500

Seen: 2,682 times

Last updated: Nov 09 '16