[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help
Anusha Ramineni
anusha.iiitm at gmail.com
Sat Jul 23 02:21:54 UTC 2016
Hi Aimee,
Thanks for the investigation.
I remember testing congress client with V3 password based authentication ,
which worked fine .. but never tested with token based .
Please go ahead and fix it , if you think there is any issue .
On 22-Jul-2016 9:38 PM, "Aimee Ukasick" <aimeeu.opensource at gmail.com> wrote:
> All - I made the change to the auth_url that Anusha suggested.
> Same problem as before " Cannot authorize API client"
> 2016-07-22 14:13:50.835861 ***** calling policies_list =
> client.list_policy()*****
> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
> authorize API client.
>
> I used the token from the log output to query the Congress API with
> the keystone v3 token - no issues.
> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
>
> So I really think the problem is that the python-congressclient
> doesn't support identity v3.
> I thought it did, but then I came across this:
> "support keystone v3 api and session based authentication "
> https://bugs.launchpad.net/python-congressclient/+bug/1564361
> This is currently assigned to Anusha.
> I'd like to start work on it since I am becoming familiar with keystone v3.
>
> Thoughts?
>
> aimee
>
>
>
>
> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
> <aimeeu.opensource at gmail.com> wrote:
> > Thanks Anusha! I will retest this today. I guess I need to learn more
> > about Horizon as well - thanks for pointing me in the right direction.
> >
> > aimee
> >
> >
> >
> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni <anusha.iiitm at gmail.com>
> wrote:
> >> Hi Aimee,
> >>
> >> I think devstack by default configured horizon to use v3 .
> >> For V2 authentication, from the logs , auth_url doesn't seem to be set
> >> explicitly to v2 auth_url .
> >>
> >> I have always set explicit v2 auth which worked fine.
> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
> authentication
> >>
> >> I have raised a patch, to take the auth_url from horizon settings
> instead of
> >> from request.
> >> https://review.openstack.org/#/c/345828/1
> >>
> >> Please set explict v2 auth_url as mentioned above in
> OPENSTACK_KESYTONE_URL
> >> in <horizon>/openstack_dashboard/local/local_settings.py and restart
> apache2
> >> server . Then v2 authentication should go through fine.
> >>
> >> For v3 , need to add relevant code for v3 authentication in
> contrib/horizon
> >> as presently it is hardcoded to use only v2. but yes, the code from
> plugin
> >> model patch is still a WIP , so doesn't work for v3 authentication I
> guess
> >> I'll have a look at it and let you know .
> >>
> >>
> >> Best Regards,
> >> Anusha
> >>
> >> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com> wrote:
> >>>
> >>> So clearly an authentication problem then.
> >>>
> >>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked with
> >>> Keystone authentication most recently, so she's your best bet.)
> >>>
> >>> Tim
> >>>
> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
> >>> <aimeeu.opensource at gmail.com> wrote:
> >>>>
> >>>> The Policy/Data Sources web page throws the same errors. I am
> >>>> planning to recheck direct API calls using v3 auth today or tomorrow.
> >>>>
> >>>> aimee
> >>>>
> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <tim at styra.com> wrote:
> >>>> > Hi Aimee,
> >>>> >
> >>>> > Do the other APIs work? That is, is it a general problem
> >>>> > authenticating, or
> >>>> > is the problem limited to list_policies?
> >>>> >
> >>>> > Tim
> >>>> >
> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
> >>>> > <aimeeu.opensource at gmail.com>
> >>>> > wrote:
> >>>> >>
> >>>> >> Hi all,
> >>>> >>
> >>>> >> I've been working on Policy UI (Horizon): Unable to get policies
> >>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
> >>>> >> for the past 3 days. Anusha is correct - it's an authentication
> >>>> >> problem, but I have not been able to fix it.
> >>>> >>
> >>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
> >>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3)
> and
> >>>> >> added try/catch blocks, logging statements (with error because I
> >>>> >> haven't figured out how to set the horizon log level).
> >>>> >>
> >>>> >>
> >>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
> >>>> >>
> >>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
> >>>> >> The failure happens trying to call
> >>>> >> congressclient.v1.client.Client.list_policies().
> >>>> >> When using v2 auth, the error message is "Unable to get policies
> list:
> >>>> >> The resource could not be found"
> >>>> >> When using v3 auth, the error message is "Cannot authorize API
> client"
> >>>> >>
> >>>> >> I am assuming that congressclient.v1.client.Client is
> >>>> >>
> >>>> >>
> >>>> >>
> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
> >>>> >> and that client.list_policy() calls list_policy()in the
> >>>> >> python-congressclient
> >>>> >> which in turn calls the Congress API. Is this correct?
> >>>> >>
> >>>> >> Any ideas why with v3 auth, the python-congressclient cannot
> authorize
> >>>> >> the
> >>>> >> call to the API?
> >>>> >>
> >>>> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
> >>>> >> created
> >>>> >> the client. While the code to create a client is not identical,
> >>>> >> it is vastly different from the code to create a client
> >>>> >> in contrib/horizon/congress.py.
> >>>> >>
> >>>> >> Thanks in advance for any pointers.
> >>>> >>
> >>>> >> aimee
> >>>> >>
> >>>> >> Aimee Ukasick (aimeeu)
> >>>> >>
> >>>> >> v2 log:
> >>>> >> 2016-07-20 22:13:56.501455
> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies =
> >>>> >> congress.policies_list(self.request) *****
> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
> >>>> >> /dashboard/admin/policies/
> >>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request)
> >>>> >> BEGIN*****
> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
> >>>> >> congressclient(request)*****
> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient BEGIN*****
> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
> >>>> >> http://192.168.56.103/identity
> >>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session *****
> >>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session
> BEGIN
> >>>> >> auth_url *****http://192.168.56.103/identity
> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
> authenticate*****
> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
> >>>> >> 2016-07-20 22:14:30.238656 None
> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to
> >>>> >> authenticate*****
> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth *****
> >>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session
> >>>> >> END*****
> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
> >>>> >> 2016-07-20 22:14:30.244491 ***** calling
> >>>> >> congress_client.Client(**kwargs)
> >>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END*****
> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
> >>>> >> client.list_policy()*****
> >>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
> >>>> >> authentication request to http://192.168.56.103/identity/tokens
> >>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request
> returned
> >>>> >> failure status: 404
> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
> resource
> >>>> >> could not be found.
> >>>> >>
> >>>> >>
> >>>> >> v3 log:
> >>>> >> 2016-07-20 22:09:22.912969
> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies =
> >>>> >> congress.policies_list(self.request) *****
> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
> >>>> >> /dashboard/admin/policies/
> >>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request)
> >>>> >> BEGIN*****
> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
> >>>> >> congressclient(request)*****
> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient BEGIN*****
> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
> >>>> >> http://192.168.56.103/identity
> >>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session *****
> >>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session
> BEGIN
> >>>> >> auth_url *****http://192.168.56.103/identity
> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
> authenticate*****
> >>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
> >>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc
> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
> >>>> >> 2016-07-20 22:09:31.910992 None
> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to
> >>>> >> authenticate*****
> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth *****
> >>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session
> >>>> >> END*****
> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
> >>>> >> 2016-07-20 22:09:31.922676 ***** calling
> >>>> >> congress_client.Client(**kwargs)
> >>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END*****
> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
> >>>> >> client.list_policy()*****
> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot
> >>>> >> authorize API client.
> >>>> >>
> >>>> >>
> >>>> >>
> __________________________________________________________________________
> >>>> >> OpenStack Development Mailing List (not for usage questions)
> >>>> >> Unsubscribe:
> >>>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>> >
> >>>> >
> >>>> >
> >>>> >
> __________________________________________________________________________
> >>>> > OpenStack Development Mailing List (not for usage questions)
> >>>> > Unsubscribe:
> >>>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>> >
> >>>>
> >>>>
> >>>>
> __________________________________________________________________________
> >>>> OpenStack Development Mailing List (not for usage questions)
> >>>> Unsubscribe:
> >>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>>
> >>>
> __________________________________________________________________________
> >>> OpenStack Development Mailing List (not for usage questions)
> >>> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>>
> >>
> >>
> >>
> __________________________________________________________________________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160723/808ed70f/attachment.html>
More information about the OpenStack-dev
mailing list