[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

Aimee Ukasick aimeeu.opensource at gmail.com
Fri Sep 16 15:28:12 UTC 2016


Eric - I added some info to the bug report
https://bugs.launchpad.net/congress/+bug/1602837

My version of DevStack uses keystone v2 for everything. However, I
found this line in the Horizon log:

"The Keystone URL (either in Horizon settings or in service catalog)
points to a v2.0 Keystone endpoint,
but v3 is specified as the API version to use by Horizon. Using v3
endpoint for authentication."


So when I hard-coded the auth_url to be v2.0, the pages loaded data as
expected.
I used your "replace" and will upload a patch asap.

Thanks!

aimee




On Thu, Sep 15, 2016 at 10:05 PM, Eric K <ekcs.openstack at gmail.com> wrote:
> Anusha and Aimee,
>
> Circling back on this issue: it seems that you are seeing different things
> with regards to horizon authentication using keystone v2. I think we can
> make good progress if we can clarify where we stand.
>
> Anusha said setting the auth_url explicitly to v2 works. Aimee said it
> didn¹t.
>
> So just to clarify:
>
> 1. Anusha did you mean set this line
> https://github.com/openstack/congress/blob/master/congress_dashboard/api/co
> ngress.py#L75
> To:
>     `auth_url = 'http://<host-ip>:5000/v2.0¹` ?
>
> 2. Aimee, is that what you tried?
>
> 3. Do you still get different results?
>
> From Anusha¹s commit message in this patch
> (https://review.openstack.org/#/c/305063/), the current code should fail
> because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75]
> grabs the .../v3 URL (devstack default), yet `auth =
> keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So
> could we have a workaround simply by doing something like `auth_url =
> auth_url.replace('v3', 'v2.0¹)`? (*)
>
> Thanks again for all the investigative work!
>
> Eric
>
> (*) Another potential issue is ports:
> https://ask.openstack.org/en/question/67846/difference-between-keystone-por
> t-5000-and-35357/
>
> On 7/22/16, 9:06 AM, "Aimee Ukasick" <aimeeu.opensource at gmail.com> wrote:
>
>>All - I made the change to the auth_url that  Anusha suggested.
>>Same problem as before " Cannot authorize API client"
>>2016-07-22 14:13:50.835861 ***** calling policies_list =
>>client.list_policy()*****
>>2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>>authorize API client.
>>
>>I used the token from the log output to query the Congress API with
>>the keystone v3 token - no issues.
>>curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>>"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
>>
>>So I really think the problem is that the python-congressclient
>>doesn't support identity v3.
>>I thought it did, but then I came across this:
>>"support keystone v3 api and session based authentication "
>>https://bugs.launchpad.net/python-congressclient/+bug/1564361
>>This is currently assigned to Anusha.
>>I'd like to start work on it since I am becoming familiar with keystone
>>v3.
>>
>>Thoughts?
>>
>>aimee
>>
>>
>>
>>
>>On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>><aimeeu.opensource at gmail.com> wrote:
>>> Thanks Anusha! I will retest this today. I guess I need to learn more
>>> about Horizon as well - thanks for pointing me in the right direction.
>>>
>>> aimee
>>>
>>>
>>>
>>> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>>><anusha.iiitm at gmail.com> wrote:
>>>> Hi Aimee,
>>>>
>>>> I think devstack by default configured horizon to use v3 .
>>>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>>>> explicitly to v2 auth_url .
>>>>
>>>> I have always set explicit v2 auth which worked fine.
>>>> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
>>>>authentication
>>>>
>>>> I have raised a patch, to take the auth_url from horizon settings
>>>>instead of
>>>> from request.
>>>> https://review.openstack.org/#/c/345828/1
>>>>
>>>> Please set explict v2 auth_url as mentioned above in
>>>>OPENSTACK_KESYTONE_URL
>>>> in <horizon>/openstack_dashboard/local/local_settings.py and restart
>>>>apache2
>>>> server . Then v2 authentication should go through fine.
>>>>
>>>> For v3 , need to add relevant code for v3 authentication in
>>>>contrib/horizon
>>>> as presently it is hardcoded to use only v2. but yes, the code from
>>>>plugin
>>>> model patch is still a WIP , so doesn't work for v3 authentication I
>>>>guess
>>>> I'll have a look at it and let you know .
>>>>
>>>>
>>>> Best Regards,
>>>> Anusha
>>>>
>>>> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com> wrote:
>>>>>
>>>>> So clearly an authentication problem then.
>>>>>
>>>>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>>>>> Keystone authentication most recently, so she's your best bet.)
>>>>>
>>>>> Tim
>>>>>
>>>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>>>>> <aimeeu.opensource at gmail.com> wrote:
>>>>>>
>>>>>> The  Policy/Data Sources web page throws the same errors. I am
>>>>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>>>>>
>>>>>> aimee
>>>>>>
>>>>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <tim at styra.com> wrote:
>>>>>> > Hi Aimee,
>>>>>> >
>>>>>> > Do the other APIs work?  That is, is it a general problem
>>>>>> > authenticating, or
>>>>>> > is the problem limited to list_policies?
>>>>>> >
>>>>>> > Tim
>>>>>> >
>>>>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>>>>>> > <aimeeu.opensource at gmail.com>
>>>>>> > wrote:
>>>>>> >>
>>>>>> >> Hi all,
>>>>>> >>
>>>>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>>>>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>>>>>> >> for the past 3 days. Anusha is correct - it's an authentication
>>>>>> >> problem, but I have not been able to fix it.
>>>>>> >>
>>>>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>>>>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3)
>>>>>>and
>>>>>> >> added try/catch blocks, logging statements (with error because I
>>>>>> >> haven't figured out how to set the horizon log level).
>>>>>> >>
>>>>>> >>
>>>>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>>>>>> >>
>>>>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>>>>>> >> The failure happens trying to call
>>>>>> >> congressclient.v1.client.Client.list_policies().
>>>>>> >> When using v2 auth, the error message is "Unable to get policies
>>>>>>list:
>>>>>> >> The resource could not be found"
>>>>>> >> When using v3 auth, the error message is "Cannot authorize API
>>>>>>client"
>>>>>> >>
>>>>>> >> I am assuming that congressclient.v1.client.Client is
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>>https://github.com/openstack/python-congressclient/blob/master/congres
>>>>>>sclient/v1/client.py
>>>>>> >> and that client.list_policy() calls list_policy()in the
>>>>>> >> python-congressclient
>>>>>> >> which in turn calls the Congress API. Is this correct?
>>>>>> >>
>>>>>> >> Any ideas why with v3 auth, the python-congressclient cannot
>>>>>>authorize
>>>>>> >> the
>>>>>> >> call to the API?
>>>>>> >>
>>>>>> >> I looked at other horizon plugin models (ceilometer, neutron,
>>>>>>nova,
>>>>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
>>>>>> >> created
>>>>>> >> the client. While the code to create a client is not identical,
>>>>>> >> it is vastly different from the code to create a client
>>>>>> >> in contrib/horizon/congress.py.
>>>>>> >>
>>>>>> >> Thanks in advance for any pointers.
>>>>>> >>
>>>>>> >> aimee
>>>>>> >>
>>>>>> >> Aimee Ukasick (aimeeu)
>>>>>> >>
>>>>>> >> v2 log:
>>>>>> >> 2016-07-20 22:13:56.501455
>>>>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies =
>>>>>> >> congress.policies_list(self.request) *****
>>>>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
>>>>>> >> /dashboard/admin/policies/
>>>>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request)
>>>>>> >> BEGIN*****
>>>>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
>>>>>> >> congressclient(request)*****
>>>>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient
>>>>>>BEGIN*****
>>>>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
>>>>>> >> http://192.168.56.103/identity
>>>>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session
>>>>>>*****
>>>>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session
>>>>>>BEGIN
>>>>>> >> auth_url *****http://192.168.56.103/identity
>>>>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
>>>>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
>>>>>>authenticate*****
>>>>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
>>>>>> >> 2016-07-20 22:14:30.238656 None
>>>>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to
>>>>>> >> authenticate*****
>>>>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth *****
>>>>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session
>>>>>> >> END*****
>>>>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
>>>>>> >> 2016-07-20 22:14:30.244491 ***** calling
>>>>>> >> congress_client.Client(**kwargs)
>>>>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END*****
>>>>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
>>>>>> >> client.list_policy()*****
>>>>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
>>>>>> >> authentication request to http://192.168.56.103/identity/tokens
>>>>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request
>>>>>>returned
>>>>>> >> failure status: 404
>>>>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
>>>>>>resource
>>>>>> >> could not be found.
>>>>>> >>
>>>>>> >>
>>>>>> >> v3 log:
>>>>>> >> 2016-07-20 22:09:22.912969
>>>>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies =
>>>>>> >> congress.policies_list(self.request) *****
>>>>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
>>>>>> >> /dashboard/admin/policies/
>>>>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request)
>>>>>> >> BEGIN*****
>>>>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
>>>>>> >> congressclient(request)*****
>>>>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient
>>>>>>BEGIN*****
>>>>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
>>>>>> >> http://192.168.56.103/identity
>>>>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session
>>>>>>*****
>>>>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session
>>>>>>BEGIN
>>>>>> >> auth_url *****http://192.168.56.103/identity
>>>>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
>>>>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
>>>>>>authenticate*****
>>>>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
>>>>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc
>>>>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
>>>>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
>>>>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
>>>>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
>>>>>> >> 2016-07-20 22:09:31.910992 None
>>>>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to
>>>>>> >> authenticate*****
>>>>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth *****
>>>>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session
>>>>>> >> END*****
>>>>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
>>>>>> >> 2016-07-20 22:09:31.922676 ***** calling
>>>>>> >> congress_client.Client(**kwargs)
>>>>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END*****
>>>>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
>>>>>> >> client.list_policy()*****
>>>>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot
>>>>>> >> authorize API client.
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>>______________________________________________________________________
>>>>>>____
>>>>>> >> OpenStack Development Mailing List (not for usage questions)
>>>>>> >> Unsubscribe:
>>>>>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>>______________________________________________________________________
>>>>>>____
>>>>>> > OpenStack Development Mailing List (not for usage questions)
>>>>>> > Unsubscribe:
>>>>>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>> >
>>>>>>
>>>>>>
>>>>>>
>>>>>>______________________________________________________________________
>>>>>>____
>>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>>> Unsubscribe:
>>>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>>
>>>>>_______________________________________________________________________
>>>>>___
>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>> Unsubscribe:
>>>>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>
>>>>
>>>>
>>>>________________________________________________________________________
>>>>__
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>>OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>
>>__________________________________________________________________________
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list