[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

Aimee Ukasick aimeeu.opensource at gmail.com
Thu Jul 28 20:53:28 UTC 2016


I've gotten a little farther, which leads me to my next question -
does the API support v3 token auth?
or am I making mistakes in my manual testing?

using the CLI on local devstack
1) did not modify openrc
2) source openrc
3) openstack token issue
4)  openstack congress datasource list --os-auth-type v3token
--os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
http://192.168.56.101:5000/v3
--os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose

When the python-congressclient calls the API, this is the response:
RESP BODY: Policy doesn't allow get_v1 to be performed.
Request returned failure status: 403

Log:  http://paste.openstack.org/show/543445/

So then I called the API directly:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache"
-d '{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "demo",
          "domain": { "id": "default" },
          "password": "secret"
        }
      }
    }
  }
}' "http://192.168.56.101:5000/v3/auth/tokens"

Response:
{
  "token": {
    "issued_at": "2016-07-28T20:43:44.258137Z",
    "audit_ids": [
      "N6tnfbI5QvyRT4xEB7pGCA"
    ],
    "methods": [
      "password"
    ],
    "expires_at": "2016-07-28T21:43:44.258112Z",
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
      "name": "demo"
    }
  }
}

Then:
curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
"Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources"

Response:
{
  "error": {
    "message": "The request you have made requires authentication.",
    "code": 401,
    "title": "Unauthorized"
  }
}

I'm feeling pretty stupid at the moment, like I've missed something obvious.
Any ideas?

Thanks!

aimee

On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni <anusha.iiitm at gmail.com> wrote:
> Hi Aimee,
>
> Thanks for the investigation.
>
> I remember testing congress client with V3 password based authentication ,
> which worked fine .. but never tested with token based .
>
> Please go ahead and fix it , if you think there is any issue .
>
>
> On 22-Jul-2016 9:38 PM, "Aimee Ukasick" <aimeeu.opensource at gmail.com> wrote:
>>
>> All - I made the change to the auth_url that  Anusha suggested.
>> Same problem as before " Cannot authorize API client"
>> 2016-07-22 14:13:50.835861 ***** calling policies_list =
>> client.list_policy()*****
>> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>> authorize API client.
>>
>> I used the token from the log output to query the Congress API with
>> the keystone v3 token - no issues.
>> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
>>
>> So I really think the problem is that the python-congressclient
>> doesn't support identity v3.
>> I thought it did, but then I came across this:
>> "support keystone v3 api and session based authentication "
>> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>> This is currently assigned to Anusha.
>> I'd like to start work on it since I am becoming familiar with keystone
>> v3.
>>
>> Thoughts?
>>
>> aimee
>>
>>
>>
>>
>> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>> <aimeeu.opensource at gmail.com> wrote:
>> > Thanks Anusha! I will retest this today. I guess I need to learn more
>> > about Horizon as well - thanks for pointing me in the right direction.
>> >
>> > aimee
>> >
>> >
>> >
>> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>> > <anusha.iiitm at gmail.com> wrote:
>> >> Hi Aimee,
>> >>
>> >> I think devstack by default configured horizon to use v3 .
>> >> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> >> explicitly to v2 auth_url .
>> >>
>> >> I have always set explicit v2 auth which worked fine.
>> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
>> >> authentication
>> >>
>> >> I have raised a patch, to take the auth_url from horizon settings
>> >> instead of
>> >> from request.
>> >> https://review.openstack.org/#/c/345828/1
>> >>
>> >> Please set explict v2 auth_url as mentioned above in
>> >> OPENSTACK_KESYTONE_URL
>> >> in <horizon>/openstack_dashboard/local/local_settings.py and restart
>> >> apache2
>> >> server . Then v2 authentication should go through fine.
>> >>
>> >> For v3 , need to add relevant code for v3 authentication in
>> >> contrib/horizon
>> >> as presently it is hardcoded to use only v2. but yes, the code from
>> >> plugin
>> >> model patch is still a WIP , so doesn't work for v3 authentication I
>> >> guess
>> >> I'll have a look at it and let you know .
>> >>
>> >>
>> >> Best Regards,
>> >> Anusha
>> >>
>> >> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com> wrote:
>> >>>
>> >>> So clearly an authentication problem then.
>> >>>
>> >>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>> >>> Keystone authentication most recently, so she's your best bet.)
>> >>>
>> >>> Tim
>> >>>
>> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>> >>> <aimeeu.opensource at gmail.com> wrote:
>> >>>>
>> >>>> The  Policy/Data Sources web page throws the same errors. I am
>> >>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>> >>>>
>> >>>> aimee
>> >>>>
>> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <tim at styra.com> wrote:
>> >>>> > Hi Aimee,
>> >>>> >
>> >>>> > Do the other APIs work?  That is, is it a general problem
>> >>>> > authenticating, or
>> >>>> > is the problem limited to list_policies?
>> >>>> >
>> >>>> > Tim
>> >>>> >
>> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>> >>>> > <aimeeu.opensource at gmail.com>
>> >>>> > wrote:
>> >>>> >>
>> >>>> >> Hi all,
>> >>>> >>
>> >>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>> >>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>> >>>> >> for the past 3 days. Anusha is correct - it's an authentication
>> >>>> >> problem, but I have not been able to fix it.
>> >>>> >>
>> >>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>> >>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3)
>> >>>> >> and
>> >>>> >> added try/catch blocks, logging statements (with error because I
>> >>>> >> haven't figured out how to set the horizon log level).
>> >>>> >>
>> >>>> >>
>> >>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>> >>>> >>
>> >>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>> >>>> >> The failure happens trying to call
>> >>>> >> congressclient.v1.client.Client.list_policies().
>> >>>> >> When using v2 auth, the error message is "Unable to get policies
>> >>>> >> list:
>> >>>> >> The resource could not be found"
>> >>>> >> When using v3 auth, the error message is "Cannot authorize API
>> >>>> >> client"
>> >>>> >>
>> >>>> >> I am assuming that congressclient.v1.client.Client is
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>> >>>> >> and that client.list_policy() calls list_policy()in the
>> >>>> >> python-congressclient
>> >>>> >> which in turn calls the Congress API. Is this correct?
>> >>>> >>
>> >>>> >> Any ideas why with v3 auth, the python-congressclient cannot
>> >>>> >> authorize
>> >>>> >> the
>> >>>> >> call to the API?
>> >>>> >>
>> >>>> >> I looked at other horizon plugin models (ceilometer, neutron,
>> >>>> >> nova,
>> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
>> >>>> >> created
>> >>>> >> the client. While the code to create a client is not identical,
>> >>>> >> it is vastly different from the code to create a client
>> >>>> >> in contrib/horizon/congress.py.
>> >>>> >>
>> >>>> >> Thanks in advance for any pointers.
>> >>>> >>
>> >>>> >> aimee
>> >>>> >>
>> >>>> >> Aimee Ukasick (aimeeu)
>> >>>> >>
>> >>>> >> v2 log:
>> >>>> >> 2016-07-20 22:13:56.501455
>> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies =
>> >>>> >> congress.policies_list(self.request) *****
>> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
>> >>>> >> /dashboard/admin/policies/
>> >>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request)
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
>> >>>> >> congressclient(request)*****
>> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
>> >>>> >> http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session
>> >>>> >> *****
>> >>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session
>> >>>> >> BEGIN
>> >>>> >> auth_url *****http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
>> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
>> >>>> >> 2016-07-20 22:14:30.238656 None
>> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth *****
>> >>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session
>> >>>> >> END*****
>> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
>> >>>> >> 2016-07-20 22:14:30.244491 ***** calling
>> >>>> >> congress_client.Client(**kwargs)
>> >>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END*****
>> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
>> >>>> >> client.list_policy()*****
>> >>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
>> >>>> >> authentication request to http://192.168.56.103/identity/tokens
>> >>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request
>> >>>> >> returned
>> >>>> >> failure status: 404
>> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
>> >>>> >> resource
>> >>>> >> could not be found.
>> >>>> >>
>> >>>> >>
>> >>>> >> v3 log:
>> >>>> >> 2016-07-20 22:09:22.912969
>> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies =
>> >>>> >> congress.policies_list(self.request) *****
>> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
>> >>>> >> /dashboard/admin/policies/
>> >>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request)
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
>> >>>> >> congressclient(request)*****
>> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
>> >>>> >> http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session
>> >>>> >> *****
>> >>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session
>> >>>> >> BEGIN
>> >>>> >> auth_url *****http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
>> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc
>> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
>> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
>> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
>> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
>> >>>> >> 2016-07-20 22:09:31.910992 None
>> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth *****
>> >>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session
>> >>>> >> END*****
>> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
>> >>>> >> 2016-07-20 22:09:31.922676 ***** calling
>> >>>> >> congress_client.Client(**kwargs)
>> >>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END*****
>> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
>> >>>> >> client.list_policy()*****
>> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot
>> >>>> >> authorize API client.
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >> __________________________________________________________________________
>> >>>> >> OpenStack Development Mailing List (not for usage questions)
>> >>>> >> Unsubscribe:
>> >>>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> > __________________________________________________________________________
>> >>>> > OpenStack Development Mailing List (not for usage questions)
>> >>>> > Unsubscribe:
>> >>>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>> >
>> >>>>
>> >>>>
>> >>>>
>> >>>> __________________________________________________________________________
>> >>>> OpenStack Development Mailing List (not for usage questions)
>> >>>> Unsubscribe:
>> >>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>>
>> >>>
>> >>> __________________________________________________________________________
>> >>> OpenStack Development Mailing List (not for usage questions)
>> >>> Unsubscribe:
>> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>
>> >>
>> >>
>> >> __________________________________________________________________________
>> >> OpenStack Development Mailing List (not for usage questions)
>> >> Unsubscribe:
>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list