VMware Cloud Community
victorkh
Enthusiast
Enthusiast

Can't add Groups or Users

I am having an issue when trying to create users and groups to assign them to projects. I am using LDAP, but for some reason i don't see the click buttons to add users or groups. Am i missing something here? Attached are the screenshots. vioadmin is the account i was using when i connected VIO with LDAP during deploying openstack.

Even if i create the project and add the group "VIO_Users" to the "project Groups" and click OK, It doesn't add the group to the "project Groups"

Note: the _member_ roles was not created by default and i had to create it through Horizon in order to be able to create Projects.

14 Replies
yjia
VMware Employee
VMware Employee

That's work as design.

Since if you use LDAP, you will have to create groups and users by your ldap administrator which mean your can't create users/groups by OpenStack Horizon.

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

Well this is what i am having:

1. I added people from my AD to the security group "VIO_Users".

2. Created a project and tried to add "VIO_Users" group to that project by clicking manage members then clicking on "Project Groups".

3. Under the "Project Groups" i added "VIO_Users" group then clicked save. I got a message saying successfully modified the project. but if i click again on manage members then click on "Project Groups" tab, the "VIO_Users" group disappears and automatically moves back to the left side of the menu which means it didn't add the "VIO_Users" to the "project groups"

Can you add a group to a project or only single users?

Reply
0 Kudos
yjia
VMware Employee
VMware Employee

Just tried , I can add both a single user and a group.

If you still can't assign a group to a project, please upload your logs so that we can take a look.

how to get logs:

1> login to vio management server

2> run  sudo viogetlogs

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

Please see attached logs.

Reply
0 Kudos
yjia
VMware Employee
VMware Employee

Ok from the log you need to create a "_member_" role in your keystone.

$>openstack role create _member_

Please add that role and try to add a group to a project again.

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

I tried to add it but i get this error:

Cannot authenticate without an auth_url

See attached screenshot.

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

Any word on this? "openstack authorization failed: Cannot authenticate without an auth_url"

Reply
0 Kudos
KarolSte
Enthusiast
Enthusiast

after logging in to controller01, switch to root (sudo su), and execute 'source /root/cloudadmin.rc' . This will add required environment variables (including auth_url).

victorkh
Enthusiast
Enthusiast

Yixing Jia,

I added the role following your command, but it still doesn't want to assign a group to a project. Still the same issue, After clicking the project-> manage members -> project groups -> clicked the + sign to add a group -> save.

It automatically moves the group i added to the left side of the menu and it doesn't apply a group to a project.

Reply
0 Kudos
yjia
VMware Employee
VMware Employee

Hi victorhk,

Thanks for your patient.


1> please login to controller01/controller02   (

a>you need to first login to management server as viouser,

b>then please run "ssh controller01"

c>you can switch to root user with password "vmware"


please check your openstack-dashboard configuration file at

/etc/openstack-dashboard/local_settings.py   to make sure it has the follow line on both controller nodes.

OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"

if it didn't show there, please add that on both controller node.

2> still on the controller01 and 02

please check the keystone file at

/etc/keystone/keystone.conf

add the follow line in the default section

member_role_name = _member_

after that please restart keystone service and openstack-dashboard service.

> service keystone restart

>service apache2 restart

Please let me know if that works.

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

Hi Yixing Jia,

1 I followed your directions but still no good. i ssh to controller01 and controller02, switched to the root.

Both controllers show the following line after i get to the file /etc/openstack-dashboard/local_settings.py

OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3‌" % OPENSTACK_HOST

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"

2 I went to the conf file of keystone on both controller and added the line "member_role_name = _member_" to the Default section

ran

> service keystone restart

>service apache2 restart

On each controller and even tried to stop/start VIO deployment to restart all VIO components. but the issue persisted Smiley Sad please see the attached screenshots and let me know if i added the role in the right place.

Reply
0 Kudos
yjia
VMware Employee
VMware Employee

Thanks for your feedback.

Please do the follow and please upload the latest log files. Thanks for your corporation!

1>please double check there is a role name _memeber_

2> please try to add a group to a project in horizon

3> after it failed, please collect the latest log by run viogetlogs

Since by the last log files we are pretty sure it was caused by missing the _memeber_ role.

with the latest log after the _member_ role created will help us to identify the issue why you still can't assign a group to a project.

Reply
0 Kudos
victorkh
Enthusiast
Enthusiast

Attached are the logs.

Reply
0 Kudos
yjia
VMware Employee
VMware Employee

Ok can you please try to add user/group by CLI?

Add a user to a role on a project/tenant

keystone user-role-add --user <user> --role <role> [--tenant <tenant>]


Add a group to a role on a project/tenant


openstack --os-identity-api-version 3 role add [--project <project>] [--group <group>] <role>

Reply
0 Kudos