search

ging / fiware-idm-deprecated

DEPRECATED - Identity Manager - Keyrock
Apache License 2.0
18 stars 25 forks source link

Granting admin permissions to another user #39

Closed DerJayDee closed 8 years ago

DerJayDee commented 8 years ago

I tried to grant admin permissions to an user. In the horizon frontend everything seems to work fine: I can select the user in the manage administrators panel, I can grant the role purchaser for the idm_admin_app to that user and upon clicking save I get a success message. But that user never shows up in the list of authorized administrators and upon logging in with that user, the admin functions are not displayed. Following is the log from keystone:

2016-01-26 08:07:16.403 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users/idm HTTP/1.1" 200 339 0.009718
2016-01-26 08:07:16.409 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001798
2016-01-26 08:07:16.421 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/projects/idm HTTP/1.1" 200 336 0.009320
2016-01-26 08:07:16.426 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001719
2016-01-26 08:07:16.438 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/roles?name=owner HTTP/1.1" 200 411 0.009374
2016-01-26 08:07:16.450 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/role_assignments?user.id=idm&role.id=72484632fd2241f9a46096f43f773022 HTTP/1.1" 200 557 0.008066
2016-01-26 08:07:16.457 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001620
2016-01-26 08:07:16.465 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/role_assignments?user_id=idm HTTP/1.1" 200 403 0.006092
2016-01-26 08:07:16.471 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001632
2016-01-26 08:07:16.484 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users?enabled=True HTTP/1.1" 200 1016 0.011095
2016-01-26 08:07:16.490 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001649
2016-01-26 08:07:16.503 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/roles HTTP/1.1" 200 621 0.011267
2016-01-26 08:07:16.519 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/idm/organizations/idm/roles/allowed HTTP/1.1" 200 261 0.012922
2016-01-26 08:07:16.525 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001626
2016-01-26 08:07:16.534 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-OAUTH2/consumers/idm_admin_app HTTP/1.1" 200 679 0.006637
2016-01-26 08:07:16.540 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001680
2016-01-26 08:07:16.549 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-OAUTH2/consumers/idm_admin_app HTTP/1.1" 200 679 0.007043
2016-01-26 08:07:16.554 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001632
2016-01-26 08:07:16.562 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/role_assignments?application_id=idm_admin_app HTTP/1.1" 200 420 0.006011
2016-01-26 08:07:16.568 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001595
2016-01-26 08:07:16.582 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users?enabled=True HTTP/1.1" 200 1016 0.011105
2016-01-26 08:07:16.587 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001684
2016-01-26 08:07:16.601 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/roles HTTP/1.1" 200 621 0.011230
2016-01-26 08:07:16.617 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/idm/organizations/idm/roles/allowed HTTP/1.1" 200 261 0.012702
2016-01-26 08:07:16.623 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001735
2016-01-26 08:07:16.636 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/roles HTTP/1.1" 200 621 0.010949
2016-01-26 08:07:16.653 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/idm/organizations/idm/roles/allowed HTTP/1.1" 200 261 0.014023
2016-01-26 08:07:16.659 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001620
2016-01-26 08:07:16.668 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/role_assignments?application_id=idm_admin_app HTTP/1.1" 200 420 0.006411
2016-01-26 08:07:16.674 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001734
2016-01-26 08:07:16.686 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users?enabled=True HTTP/1.1" 200 1016 0.010841
2016-01-26 08:07:16.796 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users/idm HTTP/1.1" 200 339 0.009195
2016-01-26 08:07:16.802 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001785
2016-01-26 08:07:16.813 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/projects/idm HTTP/1.1" 200 336 0.008785
2016-01-26 08:07:16.819 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001676
2016-01-26 08:07:16.831 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/roles?name=owner HTTP/1.1" 200 411 0.010479
2016-01-26 08:07:16.843 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/role_assignments?user.id=idm&role.id=72484632fd2241f9a46096f43f773022 HTTP/1.1" 200 557 0.008102
2016-01-26 08:07:16.849 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001550
2016-01-26 08:07:16.857 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/role_assignments?user_id=idm HTTP/1.1" 200 403 0.005961
2016-01-26 08:07:16.882 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001815
2016-01-26 08:07:16.890 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/role_assignments?user_id=idm HTTP/1.1" 200 403 0.006378
2016-01-26 08:07:16.903 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/ HTTP/1.1" 200 486 0.001737
2016-01-26 08:07:16.914 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/users/idm HTTP/1.1" 200 339 0.008672
2016-01-26 08:07:16.931 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:16] "GET /v3/OS-ROLES/users/idm/organizations/idm/roles/allowed HTTP/1.1" 200 261 0.013375
2016-01-26 08:07:17.470 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/users/idm HTTP/1.1" 200 339 0.010349
2016-01-26 08:07:17.477 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/ HTTP/1.1" 200 486 0.001764
2016-01-26 08:07:17.489 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/projects/idm HTTP/1.1" 200 336 0.009737
2016-01-26 08:07:17.495 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/ HTTP/1.1" 200 486 0.001692
2016-01-26 08:07:17.506 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/roles?name=owner HTTP/1.1" 200 411 0.009239
2016-01-26 08:07:17.519 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/role_assignments?user.id=idm&role.id=72484632fd2241f9a46096f43f773022 HTTP/1.1" 200 557 0.008677
2016-01-26 08:07:17.526 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/ HTTP/1.1" 200 486 0.001710
2016-01-26 08:07:17.540 1052 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/users?enabled=True HTTP/1.1" 200 1016 0.011518
2016-01-26 08:07:17.546 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/ HTTP/1.1" 200 486 0.001777
2016-01-26 08:07:17.555 1051 INFO eventlet.wsgi.server [-] 192.168.149.9 - - [26/Jan/2016 08:07:17] "GET /v3/OS-ROLES/users/role_assignments?application_id=idm_admin_app HTTP/1.1" 200 420 0.006620

Is OS-ROLES and OS_OAUTH2 the problem? It does not look correct to me. But how should it be set and to what sould it be set?

garcianavalon commented 8 years ago

I can't see anything wrong in this logs. My feeling is that the issue is either one of these:

¿Can you try assigning provider instead of purchaser? ¿Can you make that GET with curl or some other tool and see the body it returns?

DerJayDee commented 8 years ago

Thanks for your reply. In the selection for admin authorization there is only the purchaser role to choose. The request with curl results in the following: {"role_assignments": [{"organization_id": "idm", "application_id": "idm_admin_app", "user_id": "idm", "role_id": "provider_role"}], "links": {"self": "http://<ServerIP>:<AdminPort>/v3/OS-ROLES/role_assignments?application_id=idm_admin_app", "previous": null, "next": null}} The request was made from the horizon server using the admin token in the X-Auth-Token header.

federicofdez commented 8 years ago

Hi @DerJayDee,

We looked into this issue, and turns out that the behaviour you're reporting is caused by the IDs of fiware roles. They should be just provider and purchaser, instead of provider_role and purchaser_role, which are the values that the Keystone initial-data extension used to assign.

We just fixed this in https://github.com/ging/keystone/commit/01fb769e1245db25a2dbf948999147b1ca442861 and https://github.com/ging/horizon/commit/6ab0e7d2ee1f17048d0ec54d2bc749eceab1107b. Basically, you need to do the following:

  1. Update FIWARE_PURCHASER_ROLE_ID and FIWARE_PROVIDER_ROLE_ID in your local_settings.py file (the one placed in horizon/openstack_dashboard/local), as you can see in https://github.com/ging/horizon/commit/6ab0e7d2ee1f17048d0ec54d2bc749eceab1107b.
  2. Update your Keystone database, by either running an UPDATE query to replace the IDs or (if you can afford so) just drop your database and re-create it again (the fix in https://github.com/ging/keystone/commit/01fb769e1245db25a2dbf948999147b1ca442861 should correct the IDs).

Please, let us know if there is still anything not working properly.

Thanks for your report!