[openstack-dev] [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for horizon

Trelohan Christophe ctrelohan at voyages-sncf.com
Thu Mar 12 09:16:51 UTC 2015


Does user_id replaced in cloud_admin rule is id of cloud_admin user ?
I don't think you can log in with cloud_admin user in horizon, it seems that without project created for an user, you can't log in
in horizon.

I'm also interested in this, I also followed the mentioned article, but when I try to login with "admin" user in "default" domain,
I have the same error (not authorized to list_projects). Both with horizon and Rest API.

De : Lei Zhang [mailto:zhang.lei.fly at gmail.com] 
Envoyé : jeudi 12 mars 2015 03:33
À : openstack; OpenStack Development Mailing List
Objet : [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for horizon

is there anyone tryed this and successfully?

On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei.fly at gmail.com> wrote:
Hi guys,

I am setting up the keytone v3 api. Now I meet a issue about the `cloud_admin` policy.

Base on the http://www.florentflament.com/blog/setting-keystone-v3-domains.html article, I modify the cloud_admin policy to 

"cloud_admin": "rule:admin_required and domain_id:ef0d30167f744401a0cbfcc938ea7d63",

But the cloud_admin don't work as expected. I failed to open all the identity panel ( like http://<host>/horizon/identity/domains/)
Horizon tell me" Error: Unable to retrieve project list."
And keystone log warning:  

2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] enforce identity:list_user_projects: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00', 'trust_id': None}, enforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100
2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) 

​I make some debug and found that, the root cause is that the `context` variable in keystone has no `domain_id` field( like the above keystone log). So the `cloud_admin` rule failed.​ if i change the `cloud_admin` to following. It works as expected. 

"cloud_admin": "rule:admin_required and user_id:6433222efd78459bb70ad9adbcfac418",

I found that in the keystone code[0], the domain_id only exist when it is a domain scope. But i believe that the horizon login token is a project one( I am not very sure this)

    if token.project_scoped:
        auth_context['project_id'] = token.project_id
    elif token.domain_scoped:
        auth_context['domain_id'] = token.domain_id
        LOG.debug('RBAC: Proceeding without project or domain scope')


Is it a bug? or some wrong configuration? 

Following is my configuration.

# /etc/keystone/keystone.conf
driver = keystone.assignment.backends.sql.Assignment 

# /etc/openstack-dashboard/local_settings.py ( partly )
POLICY_FILES_PATH = "/etc/openstack-dashboard/"
    'identity': 'keystone_policy.json',
     "data_processing": 1.1,
     "identity": 3,
     "volume": 2

​[0] https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58​

Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l

Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l

More information about the OpenStack-dev mailing list