yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1803882] Re: Keystone – error message is not correct/clear in case when no “rule” is associated to user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Wed, 21 Nov 2018 22:32:15 -0000
Reply-to: Bug 1803882 <1803882@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Using the --project flag with the openstack client sets the
default_project_id attribute of a user which was only used for the
keystone v2 API. With the v3 API (the only supported version) it's now
necessary to explicitly create the role assignment with

$ openstack role add --user new-user --project new-project member

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1803882

Title:
  Keystone – error message is not correct/clear in case when no “rule”
  is associated to user

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Keystone – error message is not correct/clear in case when no “rule”
  is associated to user

  Scenario:
  1) Source as admin user 
  . overcloudrc
  2) Create a new project
  openstack project create --description 'my new project' new-project --domain default
  3) Create user for previously created project
  openstack user create --project new-project --password PASSWORD new-user
  4) Copy overcloudrc content to userrc file and change
  cp overcloudrc userrc
  5) Change relevant for new-user values:
  export OS_USERNAME=new-user
  export OS_PASSWORD=PASSWORD
  export OS_PROJECT_NAME= new-project
  6) Save modified file and source now with this gile
  source userrc
  7) Execute some openstack command for example:
  openstack network list

  Actual Result:
  On CLI output the error which is shown to user is:
  The request you have made requires authentication. (HTTP 401) (Request-ID: req-373d8b48-15b7-4036-83d1-c82453584f15)

  In keystone log:
  /var/log/containers/keystone/keystone.log (5739, 5739)
  2018-11-18 15:09:15.902 35 WARNING keystone.common.wsgi [req-373d8b48-15b7-4036-83d1-c82453584f15 - - - - -] Authorization failed. The request you have made requires authentication. from 192.168.100.27: Unauthorized: The request you have made requires authentication.

  Expected Result:
  The real reason no rule is asociated to ‘new-user’ (or something like that) should be logged and prompted to user.
  Actual message we have is not relevant and not clear.

  Keystone logs attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1803882/+subscriptions

References

[Bug 1803882] [NEW] Keystone – error message is not correct/clear in case when no “rule” is associated to user
From: Arkady Shtempler, 2018-11-18