[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help
Aimee Ukasick
aimeeu.opensource at gmail.com
Fri Jul 22 16:06:34 UTC 2016
All - I made the change to the auth_url that Anusha suggested.
Same problem as before " Cannot authorize API client"
2016-07-22 14:13:50.835861 ***** calling policies_list =
client.list_policy()*****
2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
authorize API client.
I used the token from the log output to query the Congress API with
the keystone v3 token - no issues.
curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
So I really think the problem is that the python-congressclient
doesn't support identity v3.
I thought it did, but then I came across this:
"support keystone v3 api and session based authentication "
https://bugs.launchpad.net/python-congressclient/+bug/1564361
This is currently assigned to Anusha.
I'd like to start work on it since I am becoming familiar with keystone v3.
Thoughts?
aimee
On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
<aimeeu.opensource at gmail.com> wrote:
> Thanks Anusha! I will retest this today. I guess I need to learn more
> about Horizon as well - thanks for pointing me in the right direction.
>
> aimee
>
>
>
> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni <anusha.iiitm at gmail.com> wrote:
>> Hi Aimee,
>>
>> I think devstack by default configured horizon to use v3 .
>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> explicitly to v2 auth_url .
>>
>> I have always set explicit v2 auth which worked fine.
>> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2 authentication
>>
>> I have raised a patch, to take the auth_url from horizon settings instead of
>> from request.
>> https://review.openstack.org/#/c/345828/1
>>
>> Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
>> in <horizon>/openstack_dashboard/local/local_settings.py and restart apache2
>> server . Then v2 authentication should go through fine.
>>
>> For v3 , need to add relevant code for v3 authentication in contrib/horizon
>> as presently it is hardcoded to use only v2. but yes, the code from plugin
>> model patch is still a WIP , so doesn't work for v3 authentication I guess
>> I'll have a look at it and let you know .
>>
>>
>> Best Regards,
>> Anusha
>>
>> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com> wrote:
>>>
>>> So clearly an authentication problem then.
>>>
>>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked with
>>> Keystone authentication most recently, so she's your best bet.)
>>>
>>> Tim
>>>
>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>>> <aimeeu.opensource at gmail.com> wrote:
>>>>
>>>> The Policy/Data Sources web page throws the same errors. I am
>>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>>>
>>>> aimee
>>>>
>>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <tim at styra.com> wrote:
>>>> > Hi Aimee,
>>>> >
>>>> > Do the other APIs work? That is, is it a general problem
>>>> > authenticating, or
>>>> > is the problem limited to list_policies?
>>>> >
>>>> > Tim
>>>> >
>>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>>>> > <aimeeu.opensource at gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> Hi all,
>>>> >>
>>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>>>> >> for the past 3 days. Anusha is correct - it's an authentication
>>>> >> problem, but I have not been able to fix it.
>>>> >>
>>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>>>> >> added try/catch blocks, logging statements (with error because I
>>>> >> haven't figured out how to set the horizon log level).
>>>> >>
>>>> >>
>>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>>>> >>
>>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>>>> >> The failure happens trying to call
>>>> >> congressclient.v1.client.Client.list_policies().
>>>> >> When using v2 auth, the error message is "Unable to get policies list:
>>>> >> The resource could not be found"
>>>> >> When using v3 auth, the error message is "Cannot authorize API client"
>>>> >>
>>>> >> I am assuming that congressclient.v1.client.Client is
>>>> >>
>>>> >>
>>>> >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>>>> >> and that client.list_policy() calls list_policy()in the
>>>> >> python-congressclient
>>>> >> which in turn calls the Congress API. Is this correct?
>>>> >>
>>>> >> Any ideas why with v3 auth, the python-congressclient cannot authorize
>>>> >> the
>>>> >> call to the API?
>>>> >>
>>>> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
>>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
>>>> >> created
>>>> >> the client. While the code to create a client is not identical,
>>>> >> it is vastly different from the code to create a client
>>>> >> in contrib/horizon/congress.py.
>>>> >>
>>>> >> Thanks in advance for any pointers.
>>>> >>
>>>> >> aimee
>>>> >>
>>>> >> Aimee Ukasick (aimeeu)
>>>> >>
>>>> >> v2 log:
>>>> >> 2016-07-20 22:13:56.501455
>>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies =
>>>> >> congress.policies_list(self.request) *****
>>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
>>>> >> /dashboard/admin/policies/
>>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request)
>>>> >> BEGIN*****
>>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
>>>> >> congressclient(request)*****
>>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient BEGIN*****
>>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
>>>> >> http://192.168.56.103/identity
>>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session *****
>>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session BEGIN
>>>> >> auth_url *****http://192.168.56.103/identity
>>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
>>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to authenticate*****
>>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
>>>> >> 2016-07-20 22:14:30.238656 None
>>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to
>>>> >> authenticate*****
>>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth *****
>>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session
>>>> >> END*****
>>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
>>>> >> 2016-07-20 22:14:30.244491 ***** calling
>>>> >> congress_client.Client(**kwargs)
>>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END*****
>>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
>>>> >> client.list_policy()*****
>>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
>>>> >> authentication request to http://192.168.56.103/identity/tokens
>>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
>>>> >> failure status: 404
>>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The resource
>>>> >> could not be found.
>>>> >>
>>>> >>
>>>> >> v3 log:
>>>> >> 2016-07-20 22:09:22.912969
>>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies =
>>>> >> congress.policies_list(self.request) *****
>>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
>>>> >> /dashboard/admin/policies/
>>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request)
>>>> >> BEGIN*****
>>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
>>>> >> congressclient(request)*****
>>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient BEGIN*****
>>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
>>>> >> http://192.168.56.103/identity
>>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session *****
>>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session BEGIN
>>>> >> auth_url *****http://192.168.56.103/identity
>>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
>>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to authenticate*****
>>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
>>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc
>>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
>>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
>>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
>>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
>>>> >> 2016-07-20 22:09:31.910992 None
>>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to
>>>> >> authenticate*****
>>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth *****
>>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session
>>>> >> END*****
>>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
>>>> >> 2016-07-20 22:09:31.922676 ***** calling
>>>> >> congress_client.Client(**kwargs)
>>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END*****
>>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
>>>> >> client.list_policy()*****
>>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot
>>>> >> authorize API client.
>>>> >>
>>>> >>
>>>> >> __________________________________________________________________________
>>>> >> OpenStack Development Mailing List (not for usage questions)
>>>> >> Unsubscribe:
>>>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> >
>>>> >
>>>> >
>>>> > __________________________________________________________________________
>>>> > OpenStack Development Mailing List (not for usage questions)
>>>> > Unsubscribe:
>>>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> >
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
More information about the OpenStack-dev
mailing list