← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #26162

[Bug 1403136] Re: Create tenants, users, and roles in OpenStack Installation Guide for Ubuntu 14.04  - juno

  Thread PreviousDate PreviousThread Next 
I think I understand why the manual specifies that the deployer should
"create the _member_" role using "keystone role-create --name _member_"
(to support the explicit assignment in the following step), but I'd
recommend removing that instruction as a starting point to addressing
this issue. I'm not sure what to do about the following step that
utilizes the _member_ role, though, other than avoid using _member_ (in
that specific case, the admin user is being assigned a _member_ role on
the admin tenant ... whereas this would normally only be an "admin" role
assignment and you're done).

Background: keystone actually creates this role for you automatically,
as needed, to provide backwards compatibility for v2 calls wherein
default tenancy is used. The gist is that we want authorization
assignments to be an explicit triplet in v3. For example user + project
+ role. v2's notion of default tenancy means that no specific role is
involved, so Keystone creates the _member_ role if it doesn't already
exist, so that the assignment can be explicit. Keystone has a pre-
conceived member_role_name and member_role_id in keystone.conf that is
used whenever the _member_ role comes into play.

The behavior described in the report is then accurate: the "_member_ "
role is successfully created manually, but when it's used by user-create
with default tenancy, the member_role_id in keystone.conf does not match
_member_'s ID in the backend (so it's not found), and thus Keystone
tries to create the role again, resulting in a 409 Conflict (duplicate
role name: _member_).

It might be possible for Keystone to avoiding putting you in this
scenario by having Keystone notice the role you're trying to create, and
then at least ensuring that's its created as defined in keystone.conf.
So I'm going to add Keystone here as well.

** Changed in: openstack-manuals
   Importance: Medium => Undecided

** Also affects: keystone
   Importance: Undecided
       Status: New

** Tags added: user-experience

** Changed in: keystone
   Importance: Undecided => Low

** Changed in: keystone
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1403136

Title:
  Create tenants, users, and roles in OpenStack Installation Guide for
  Ubuntu 14.04  - juno

Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Manuals:
  Confirmed

Bug description:
  "e. By default, the dashboard limits access to users with the _member_
  role. Create the _member_ role:"

  The first sentence is true, but keystone will automatically create the
  _member_ role if it does not exist.

  I discovered this while tracking down an error:  "keystone user-
  create" resulted in a "duplicate entry" error. The sequence is like
  this:

  1) As described in the doc, I run "keystone role-create --name _member_". The role is created and assigned a random ID.
  2) On "user-create", keystone wants to assign the _member_ role to the new user. It looks up member_role_id in keystone.conf, finds none (the member_role_id does not match the ID from step 1)
  3) keystone now tries to create the _member_ role, but this fails since the name already exists.

  So by not creating the "_member_" role myself, the problem is averted.
  That's why I'm opening a bug against docs.... another fix would be for
  keystone to do the lookup by name instead, but I assume the keystone
  team has a good reason for not doing so.

  I'm using the v2 API with SQL backend.

  -----------------------------------
  Built: 2014-12-09T01:28:32 00:00
  git SHA: 6d3c276487be990722bc423642ffb05217d77289
  URL: http://docs.openstack.org/juno/install-guide/install/apt/content/keystone-users.html
  source File: file:/home/jenkins/workspace/openstack-manuals-tox-doc-publishdocs/doc/install-guide/section_keystone-users.xml
  xml:id: keystone-users

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1403136/+subscriptions
  Thread PreviousDate PreviousThread Next