vkmc · March 4, 2013 13:06
diff --git a/Keystone roles deletion b/Keystone roles deletion
 List tenants
 We are going to work on demo

 [vkmc@thermalx2 projects]$ keystone tenant-list
 +----------------------------------+--------------------+---------+
 |                id                |        name        | enabled |
 +----------------------------------+--------------------+---------+
 | 5c56bef830124dafb953a15025beeef1 |       admin        |   True  |
 | c147bc63aaae46a4bde468e65cdb5f94 |      alt_demo      |   True  |
 | c7043fed69954395ac7949266e3a8b48 |        demo        |   True  |
 | 24f4c7d2564840ffa9aef14427202cad | invisible_to_admin |   True  |
 | a84bc15899be4a8a966266473cbb2908 |      service       |   True  |
 +----------------------------------+--------------------+---------+

 List users associated to demo. Here we can see that we have two users, admin and demo

 [vkmc@thermalx2 devstack]$ keystone user-list --tenant-id c7043fed69954395ac7949266e3a8b48 (demo)
 +----------------------------------+-------+---------+-------------------+
 |                id                |  name | enabled |       email       |
 +----------------------------------+-------+---------+-------------------+
 | 5a03113b4c514940bb220f19bed1f76f | admin |   True  | [email protected] |
 | d3fb0dece2554eeb99642433ac577730 |  demo |   True  |  [email protected] |
 +----------------------------------+-------+---------+-------------------+

 Removing the user seems a little harsh, so I decided we could just remove the role from that user from that tenant
 Users can have only one role, so this should be an easy task.

 We list the roles granted on a tenant.
 Why demo user doesn't pop up?

 [vkmc@thermalx2 devstack]$ keystone help user-role-list
 usage: keystone user-role-list [--user <user>] [--tenant <tenant>]

 List roles granted to a user

 Optional arguments:
  --user <user>, --user-id <user>
                        List roles granted to a user
  --tenant <tenant>, --tenant-id <tenant>
                        List roles granted on a tenant

 [vkmc@thermalx2 devstack]$ keystone user-role-list --tenant c7043fed69954395ac7949266e3a8b48
 +----------------------------------+-------+----------------------------------+----------------------------------+
 |                id                |  name |             user_id              |            tenant_id             |
 +----------------------------------+-------+----------------------------------+----------------------------------+
 | d8f1faa491a34901974acf73a523cef4 | admin | 5a03113b4c514940bb220f19bed1f76f | c7043fed69954395ac7949266e3a8b48 |
 +----------------------------------+-------+----------------------------------+----------------------------------+

 Maybe that's because current user is admin... so, we could user --user and --tenant options

 [vkmc@thermalx2 devstack]$ keystone user-role-list --user d3fb0dece2554eeb99642433ac577730 --tenant c7043fed69954395ac7949266e3a8b48
 +----------------------------------+-------------+----------------------------------+----------------------------------+
 |                id                |     name    |             user_id              |            tenant_id             |
 +----------------------------------+-------------+----------------------------------+----------------------------------+
 | 36d04d73f65442ddb3d16487ae2aab46 | anotherrole | d3fb0dece2554eeb99642433ac577730 | c7043fed69954395ac7949266e3a8b48 |
 +----------------------------------+-------------+----------------------------------+----------------------------------+
 [vkmc@thermalx2 devstack]$ keystone user-role-list --user 5a03113b4c514940bb220f19bed1f76f --tenant c7043fed69954395ac7949266e3a8b48
 +----------------------------------+-------+----------------------------------+----------------------------------+
 |                id                |  name |             user_id              |            tenant_id             |
 +----------------------------------+-------+----------------------------------+----------------------------------+
 | d8f1faa491a34901974acf73a523cef4 | admin | 5a03113b4c514940bb220f19bed1f76f | c7043fed69954395ac7949266e3a8b48 |
 +----------------------------------+-------+----------------------------------+----------------------------------+

 And then... just remove the roles for the user in the tenant

 [vkmc@thermalx2 devstack]$ keystone help user-role-remove
 usage: keystone user-role-remove --user <user> --role <role>
                                 [--tenant <tenant>]

 Remove role from user

 Optional arguments:
  --user <user>, --user-id <user>, --user_id <user>
                        Name or ID of user
  --role <role>, --role-id <role>, --role_id <role>
                        Name or ID of role
  --tenant <tenant>, --tenant-id <tenant>
                        Name or ID of tenant

 [vkmc@thermalx2 devstack]$ keystone user-role-remove --user d3fb0dece2554eeb99642433ac577730 --role 36d04d73f65442ddb3d16487ae2aab46 --tenant c7043fed69954395ac7949266e3a8b48
 [vkmc@thermalx2 devstack]$ keystone user-role-remove --user 5a03113b4c514940bb220f19bed1f76f --role d8f1faa491a34901974acf73a523cef4 --tenant c7043fed69954395ac7949266e3a8b48
 Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
 [vkmc@thermalx2 devstack]$ keystone user-list --tenant-id c7043fed69954395ac7949266e3a8b48
 Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

 So apparently in the first call we deleted all the roles?

 [vkmc@thermalx2 devstack]$ . openrc admin
 [vkmc@thermalx2 devstack]$ keystone user-role-add --user 5a03113b4c514940bb220f19bed1f76f --role d8f1faa491a34901974acf73a523cef4 --tenant c7043fed69954395ac7949266e3a8b48
 Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

 Well, it's not possible to add an admin after removal.
 And... if trying to get Project menu on Horizon... you will also get an 401 error.

 This is supposed to be followed by a tenant-deletion

 Let's try how it goes

 [vkmc@thermalx2 devstack]$ keystone tenant-delete c7043fed69954395ac7949266e3a8b48
 [vkmc@thermalx2 devstack]$ keystone tenant-list
 Unable to communicate with identity service: {"error": {"message": "Could not find project: demo", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

 Not good... OS_TENANT_DEFAULT is still demo and I'm not able to access to anything.

 Is there a way to change the default tenant?
	List tenants
	We are going to work on demo

	[vkmc@thermalx2 projects]$ keystone tenant-list
	+----------------------------------+--------------------+---------+
	\| id \| name \| enabled \|
	+----------------------------------+--------------------+---------+
	\| 5c56bef830124dafb953a15025beeef1 \| admin \| True \|
	\| c147bc63aaae46a4bde468e65cdb5f94 \| alt_demo \| True \|
	\| c7043fed69954395ac7949266e3a8b48 \| demo \| True \|
	\| 24f4c7d2564840ffa9aef14427202cad \| invisible_to_admin \| True \|
	\| a84bc15899be4a8a966266473cbb2908 \| service \| True \|
	+----------------------------------+--------------------+---------+

	List users associated to demo. Here we can see that we have two users, admin and demo

	[vkmc@thermalx2 devstack]$ keystone user-list --tenant-id c7043fed69954395ac7949266e3a8b48 (demo)
	+----------------------------------+-------+---------+-------------------+
	\| id \| name \| enabled \| email \|
	+----------------------------------+-------+---------+-------------------+
	\| 5a03113b4c514940bb220f19bed1f76f \| admin \| True \| [email protected] \|
	\| d3fb0dece2554eeb99642433ac577730 \| demo \| True \| [email protected] \|
	+----------------------------------+-------+---------+-------------------+

	Removing the user seems a little harsh, so I decided we could just remove the role from that user from that tenant
	Users can have only one role, so this should be an easy task.

	We list the roles granted on a tenant.
	Why demo user doesn't pop up?

	[vkmc@thermalx2 devstack]$ keystone help user-role-list
	usage: keystone user-role-list [--user <user>] [--tenant <tenant>]

	List roles granted to a user

	Optional arguments:
	--user <user>, --user-id <user>
	List roles granted to a user
	--tenant <tenant>, --tenant-id <tenant>
	List roles granted on a tenant

	[vkmc@thermalx2 devstack]$ keystone user-role-list --tenant c7043fed69954395ac7949266e3a8b48
	+----------------------------------+-------+----------------------------------+----------------------------------+
	\| id \| name \| user_id \| tenant_id \|
	+----------------------------------+-------+----------------------------------+----------------------------------+
	\| d8f1faa491a34901974acf73a523cef4 \| admin \| 5a03113b4c514940bb220f19bed1f76f \| c7043fed69954395ac7949266e3a8b48 \|
	+----------------------------------+-------+----------------------------------+----------------------------------+

	Maybe that's because current user is admin... so, we could user --user and --tenant options

	[vkmc@thermalx2 devstack]$ keystone user-role-list --user d3fb0dece2554eeb99642433ac577730 --tenant c7043fed69954395ac7949266e3a8b48
	+----------------------------------+-------------+----------------------------------+----------------------------------+
	\| id \| name \| user_id \| tenant_id \|
	+----------------------------------+-------------+----------------------------------+----------------------------------+
	\| 36d04d73f65442ddb3d16487ae2aab46 \| anotherrole \| d3fb0dece2554eeb99642433ac577730 \| c7043fed69954395ac7949266e3a8b48 \|
	+----------------------------------+-------------+----------------------------------+----------------------------------+
	[vkmc@thermalx2 devstack]$ keystone user-role-list --user 5a03113b4c514940bb220f19bed1f76f --tenant c7043fed69954395ac7949266e3a8b48
	+----------------------------------+-------+----------------------------------+----------------------------------+
	\| id \| name \| user_id \| tenant_id \|
	+----------------------------------+-------+----------------------------------+----------------------------------+
	\| d8f1faa491a34901974acf73a523cef4 \| admin \| 5a03113b4c514940bb220f19bed1f76f \| c7043fed69954395ac7949266e3a8b48 \|
	+----------------------------------+-------+----------------------------------+----------------------------------+

	And then... just remove the roles for the user in the tenant

	[vkmc@thermalx2 devstack]$ keystone help user-role-remove
	usage: keystone user-role-remove --user <user> --role <role>
	[--tenant <tenant>]

	Remove role from user

	Optional arguments:
	--user <user>, --user-id <user>, --user_id <user>
	Name or ID of user
	--role <role>, --role-id <role>, --role_id <role>
	Name or ID of role
	--tenant <tenant>, --tenant-id <tenant>
	Name or ID of tenant

	[vkmc@thermalx2 devstack]$ keystone user-role-remove --user d3fb0dece2554eeb99642433ac577730 --role 36d04d73f65442ddb3d16487ae2aab46 --tenant c7043fed69954395ac7949266e3a8b48
	[vkmc@thermalx2 devstack]$ keystone user-role-remove --user 5a03113b4c514940bb220f19bed1f76f --role d8f1faa491a34901974acf73a523cef4 --tenant c7043fed69954395ac7949266e3a8b48
	Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
	[vkmc@thermalx2 devstack]$ keystone user-list --tenant-id c7043fed69954395ac7949266e3a8b48
	Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

	So apparently in the first call we deleted all the roles?

	[vkmc@thermalx2 devstack]$ . openrc admin
	[vkmc@thermalx2 devstack]$ keystone user-role-add --user 5a03113b4c514940bb220f19bed1f76f --role d8f1faa491a34901974acf73a523cef4 --tenant c7043fed69954395ac7949266e3a8b48
	Unable to communicate with identity service: {"error": {"message": "Invalid tenant", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

	Well, it's not possible to add an admin after removal.
	And... if trying to get Project menu on Horizon... you will also get an 401 error.

	This is supposed to be followed by a tenant-deletion

	Let's try how it goes

	[vkmc@thermalx2 devstack]$ keystone tenant-delete c7043fed69954395ac7949266e3a8b48
	[vkmc@thermalx2 devstack]$ keystone tenant-list
	Unable to communicate with identity service: {"error": {"message": "Could not find project: demo", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

	Not good... OS_TENANT_DEFAULT is still demo and I'm not able to access to anything.

	Is there a way to change the default tenant?