Ask Your Question

Sliter's profile - activity

2015-06-17 01:06:22 -0500 received badge  Nice Question (source)
2015-03-07 10:02:37 -0500 received badge  Popular Question (source)
2015-03-07 10:02:37 -0500 received badge  Famous Question (source)
2015-03-07 10:02:37 -0500 received badge  Notable Question (source)
2015-03-05 00:45:59 -0500 asked a question Can't create user, keystone conflict occurred attempting to store role

Actually, I got this problem solved but I am not able to figure out the reason. Could anybody shed some light on this?

Step to reproduce:

'#sliter@controller~: keystone tenant-create --name timo

'#sliter@controller~: keystone user-create --name timo --tenant -timo --pass password --email Conflict occurred attempting to store role

Step to resolve:

'#sliter@controller~: keystone role-delete __member_'_

After deleting the member role, user-create works fine


  1. You don't need to recreate the member role since user-create will automatically create the member role if it doesn't exist
  2. Delete and recreate any users which has been associated with the member role. Otherwise, you'll get errors. For example, you'll get "ERROR (CommandError): Invalid OpenStack Nova Credentials" when you run 'nova list' under such a user.

Some bakcgrounds may be helpful:

  1. Last time that I created tenants and users was several month ago, the beginning of December.
  2. One week ago, I found that a new compute node created had different nova version with the nova components on the controller node as well as those on the previous compute nodes (New:1:2014.2.1-0ub, Old:1:2014.2-0ub). This inconsistency prevents me from creating instances on the new compute node. I used update&dist-upgrade on all nodes and solved this problem.

My guess:

Is it because of the different version of keystone? Since the previous member role was created under the version of 1:2014.2-0ub and the keystone version 1:2014.2.1-0ub don't recognize such a member role

2014-12-15 21:33:21 -0500 received badge  Supporter (source)
2014-12-15 20:54:11 -0500 received badge  Famous Question (source)
2014-12-15 07:52:24 -0500 received badge  Editor (source)
2014-12-15 02:03:32 -0500 received badge  Good Question (source)
2014-12-15 00:11:46 -0500 received badge  Nice Question (source)
2014-12-15 00:08:41 -0500 received badge  Notable Question (source)
2014-12-14 21:30:38 -0500 received badge  Popular Question (source)
2014-12-14 10:31:05 -0500 asked a question Keystone authentication to public/admin port and scoped/unscoped token

New to OpenStack, after setting up a simple environment(controller+compute node), I am trying to learn how those components work.

My attempt(using curl) was trying to get a token and then get a list of tenants with that token.

To get a token, I had tried the following ways:

curl -i -X POST http://controller:PORT/v2.0/tokens -H "Content-type: application/json" -d INFO

Replacing the PORT and INFO in the above command to:

  1. PORT 5000, INFO: username, password => token 1
  2. PORT 35357, INFO: username, password => token 2
  3. PORT 5000, INFO: username, password, tenant name => token 3
  4. PORT 35357, INFO: username, password, tenant name => token 4

Note: The username is the admin user

To get a list of tenants, I had tried the following:

curl -i -X GET http://controller:PORT/v2.0/tenants -H "X-Auth-Token: TOKEN"

Replacing the PORT and TOKEN in the above command to:

  1. token 1, port 5000: only to see the admin tenant
  2. token 1, port 35357: 401, requires authentication
  3. token 2, port 5000: only to see the admin tenant
  4. token 2, port 35357: 401, requires authentication
  5. token 3, port 5000: only to see the admin tenant
  6. token 3, port 35357: see admin, demo and service tenant
  7. token 4, port 5000: only to see the admin tenant
  8. token 4, port 35357: see admin, demo and service tenant

My questions are:

  1. Are there any difference regarding to the tokens returned by talking to port 5000 and port 35357? If there is no difference, should I care which port to talk to when authentication is required?

  2. With the unscoped tokens(token 1 and token 2), why authentication is required when I was trying to talk to port 35357? Remember I provided the admin user credentials to get those two tokens.

  3. With the scoped tokens(token 3 and token 4), why I could only see the admin tenant when talking to port 5000 while I could see all the tenants when talking to port 35357?


Thanks @Haneef Ali for the response.

Q: 3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

A: Yes, I used the same token and username, password, tenant in both cases.

My guess is that providing scoped token to port 5000 and to port 35357 maps to different rules in keystone policy.json.

screenshot /etc/keystone/policy.json

image description

Notice that there is a list_projects rule as well as a list_user_projects rule.

So when you talks to port 5000 providing whatever unscoped token or scoped token, keystone refers to the list_user_projects rule which accepts operation from both admin and owner. That's explains the items in 1,3,5,7 in the above "To get a list of tenants" section.

However, when talks to port 35357, keystone will refer to the list_projects rule which requires the admin privileges. That's why in item 2&4, we received 'requires authentication' message while it item 6&8 it ...

2014-12-06 00:51:39 -0500 received badge  Enthusiast
2014-11-27 06:18:32 -0500 received badge  Famous Question (source)
2014-11-26 00:20:46 -0500 received badge  Notable Question (source)
2014-11-25 17:15:38 -0500 received badge  Student (source)
2014-11-25 17:11:26 -0500 received badge  Popular Question (source)
2014-11-25 09:04:03 -0500 asked a question Can't create instance, no valid host was found, nova-compute is not running

I installed openstack via devstack, branch juno on my Ubuntu 12.04(not VM).

When I was trying to launch an instance, I received the error message "No valid host was found. There are not enough hosts available".

After googling a while, I found that someone has encountered exactly the same problem in this (thread).

Although the thread did not come with a final solution, it mentions that the missing of nova-compute could result in such a problem. And running the command "nova-manage service list" shows that nova-compute is indeed missing.

So I was trying to enable the nova-compute by the command "nova-manage service enable --host=xxx --service=nova-compute". However, I ended with an error message "error: Could not find binary nova-compute on host xxx."

Now, I am stuck here. Could anyone shed some light on this? Thanks