Cannot list users and groups with Keystone v3

Not able to reproduce...

Do you have multiple domains defined? I have first domain in sql backend and second one in ldap backend.

[root@juno1 ~(keystonev3_admin)]# cat keystonev3rc_admin
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://9.167.185.90:5000/v3
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=*****
export PS1='[\u@\h \W(keystonev3_admin)]\$ '
[root@juno1 ~(keystonev3_admin)]# openstack user list
ERROR: openstack The request you have made requires authentication. (HTTP 401)
[root@juno1 ~(keystonev3_admin)]# openstack user list --domain default
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0261a5e2252d4778866209c4834a73ad | nova |
| 0781c81c522642d689e3611a82ccb7f4 | neutron |
| 93e2632af4fa4c6297ce34e6208b3038 | heat |
| 965afb3c90304064b74cafdcc04647a4 | cinder |
| c8ffb935e7f3495593ee73a1f1d3f17f | admin |
| eec4197e03c842a2ae4c1176ee66540d | glance |
+----------------------------------+---------+

I have to specify --domain parameter, even I have OS_USER_DOMAIN_ID exported. I don't know whether it's bug or feature in keystone.

Keystone doesn't allow listing all users when multiple domains are configured. Keystone is working as designed.

I suppose horizon should pass domain of logged in user to keystone, when listing users/groups.

Brant is correct in this case. This is as designed. Listing all users is only guaranteed to be possible within the scope of a specific domain.

Marking this bug as invalid for Keystone.

To repro this bug in Horizon multiple domains should be defined. Per comments above this works as designed in Keystone, so Horizon should include domain in the request. I believe this should be a domain of logged in user.

[Expired for OpenStack Dashboard (Horizon) because there has been no activity for 60 days.]

I get this error, openstack clients also seem to fail to list users and groups.

Issue seems to be in this method line 715 is the exception being thrown.

683 def _get_domain_id_for_list_request(self, context):
684 """Get the domain_id for a v3 list call.
685
686 If we running with multiple domain drivers, then the caller must
687 specify a domain_id either as a filter or as part of the token scope.
688
689 """
690 if not CONF.identity.domain_specific_drivers_enabled:
691 # We don't need to specify a domain ID in this case
692 return
693
694 if context['query_string'].get('domain_id') is not None:
695 return context['query_string'].get('domain_id')
696
697 try:
698 token_ref = token_model.KeystoneToken(
699 token_id=context['token_id'],
700 token_data=self.token_provider_api.validate_token(
701 context['token_id']))
702 except KeyError:
703 raise exception.ValidationError(
704 _('domain_id is required as part of entity'))
705 except (exception.TokenNotFound,
706 exception.UnsupportedTokenVersionException):
707 LOG.warning(_LW('Invalid token found while getting domain ID '
708 'for list request'))
709 raise exception.Unauthorized()
710
711 if token_ref.domain_scoped:
712 return token_ref.domain_id
713 else:
714 LOG.warning(
715 _LW('No domain information specified as part of list request'))
716 raise exception.Unauthorized()

Keystone logs are as follows.
2015-10-06 07:32:24.141 11175 DEBUG keystone.policy.backends.rules [-] enforce identity:list_users: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'a3cde1ee62b7882310e28a16efc19fae1fb81383628117c100f0fb80e7442177', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=wAXcFhRURgmBoLZPhNZBaQ, audit_chain_id=wAXcFhRURgmBoLZPhNZBaQ) at 0x7fa5a9d894f0>, 'project_id': u'4bf2a3a0b84745259bb4c8d4829cf742', 'trust_id': None} enforce /opt/bbc/openstack-11.0-bbc73/keystone/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:76
2015-10-06 07:32:24.142 11175 DEBUG keystone.common.controller [-] RBAC: Authorization granted wrapper /opt/bbc/openstack-11.0-bbc73/keystone/local/lib/python2.7/site-packages/keystone/common/controller.py:203
2015-10-06 07:32:24.151 11175 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-10-06 07:32:24.152 11175 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 192.168.0.96

Configuration
1) Enable domain specific drivers in keystone
2) keep default domain in ldap, keep all other domains in sql db.
3) Try listing users or groups using v3 api.

I was able to get users and groups to list, need to do set domain context from identity=> domains, then it works.
I think in horizon this can be closed as fixed, but possibly need some documentation around this.

Is there something we could do in here to alleviate this? Maybe set up the default domain in the context on login so we dont show an error with no context at all?

Change abandoned by Radomir Dopieralski (<email address hidden>) on branch: master
Review: https://review.openstack.org/356571