4 Dec 2019 |
Julian Pistorius (Gitter) | Make sense? | 00:21:15 |
Julian Pistorius (Gitter) | Oh... Hmm... | 00:21:20 |
cmart | on IU cloud:
(openstack-cli-venv) cmart@thinkpad:~/openstack-openrcs$ openstack user show 9f50ae78b7184e71c57c6f80628ceb35d6b72faa2d95dca3ec0d3f374d89f821
+---------------------+------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------+
| domain_id | decf397762654fa2945ae7d4cc49d8c2 |
| email | julianp@redacted.org |
| enabled | True |
| id | 9f50ae78b7184e71c57c6f80628ceb35d6b72faa2d95dca3ec0d3f374d89f821 |
| name | tg833798 |
| options | {} |
| password_expires_at | None |
+---------------------+------------------------------------------------------------------+
| 00:23:06 |
cmart | so that user is definitely you. what groups do you belong to?
(openstack-cli-venv) cmart@thinkpad:~/openstack-openrcs$ openstack group list --user 9f50ae78b7184e71c57c6f80628ceb35d6b72faa2d95dca3ec0d3f374d89f821
+------------------------------------------------------------------+--------------+
| ID | Name |
+------------------------------------------------------------------+--------------+
| 5a216c17295b028f78e0c1385fd8123ee596065a672f9b8fddd4ccb201d7a956 | TG-ASC160018 |
| 3b97b120471e455a987ea9b1743c3f81118773e9989441c9832ac0ce64312859 | TG-CCR190024 |
| d92e59c315da146dccb63c7f75987c061f90343fa7500eadf1c90893bce7c43e | TG-CDA180005 |
| 7767d222d34e38ef962d25372cbb3980ef1f44442e7ac88b895915bfdafdaf97 | TG-TRA160003 |
| 80c3bb496529fc03b4bd0555a4da8941ea100f8257d8e69a9cb590fb68ebdd68 | TG-TRA190022 |
+------------------------------------------------------------------+--------------+
| 00:23:37 |
cmart | aha, 5 groups, each named according to a project | 00:24:57 |
cmart | let's take TG-CCR190024, the name of a project that you previously reported the 401 error for. | 00:25:37 |
cmart | looking up role assignments for that group:
(openstack-cli-venv) cmart@thinkpad:~/openstack-openrcs$ openstack role assignment list --group 3b97b120471e455a987ea9b1743c3f81118773e9989441c9832ac0ce64312859
+----------------------------------+------+------------------------------------------------------------------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------+------------------------------------------------------------------+----------------------------------+--------+--------+-----------+
| f61bbb9a334d4f95b6921c1b48bb55e7 | | 3b97b120471e455a987ea9b1743c3f81118773e9989441c9832ac0ce64312859 | f477d7139ced4da384dab42001a7ea3c | | | False |
+----------------------------------+------+------------------------------------------------------------------+----------------------------------+--------+--------+-----------+
| 00:26:34 |
cmart | aha, there is project f477d7139ced4da384dab42001a7ea3c, which has name TG-CCR190024. | 00:26:57 |
cmart | so, I believe you have access to TG-CCR190024 (at least via API and Horizon) by virtue of your membership in a group with the same name | 00:27:32 |
cmart | so the role assignment is project + group. not project + user. | 00:27:53 |
cmart | * so the role assignment is project + group . not project + user . | 00:28:08 |
Julian Pistorius (Gitter) | Hmm... That's interesting: When I log into Horizon and look at the app credentials there is a 'Roles' column, which for all the app credentials is set to ['user'] https://iu.jetstream-cloud.org/identity/application_credentials/ | 00:30:01 |
cmart | yep, for whatever that's worth. | 00:31:13 |
Julian Pistorius (Gitter) | But I don't have the user role on any of the projects other than TG-TRA160003 . So an app credential with that role will not work, right? Is that plausible? Can you make an app credential for a project + group | 00:31:18 |
cmart | https://bugs.launchpad.net/keystone/+bug/1773967 | 00:32:32 |
cmart | bingo | 00:32:45 |
Julian Pistorius (Gitter) | :tada: Nice! | 00:32:53 |
cmart | lol, reported a year and a half ago.. | 00:33:25 |
Julian Pistorius (Gitter) | And it was merge into Rocky & Queens two weeks ago! | 00:34:20 |
cmart | yup. i'll ask Mike if he can apply a patch :) | 00:34:42 |
Julian Pistorius (Gitter) | So if Mike patches Keystone it should work? | 00:35:04 |
Julian Pistorius (Gitter) | Snaps. | 00:35:08 |
cmart | it's a really small patch too | 00:36:09 |
cmart | shall I update #265 or would you like to? | 00:41:39 |
Julian Pistorius (Gitter) | @c-mart Go for it. You have the better grasp of the underlying problem. Thank you! | 00:44:48 |
cmart | looks like you already did :) I'll just close the issue | 00:45:15 |
Julian Pistorius (Gitter) | Oh. I thought you meant more details. :blush: | 00:45:48 |
cmart | if you ever take another crack at "more friendly error messages", we might tell the user something useful when we get a 401 when trying to log in with an Application Credential | 00:48:13 |
Julian Pistorius (Gitter) | Yep. | 00:48:25 |
cmart | maybe even link them to the bug and say "please show this to your cloud administrator" | 00:48:46 |