[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help
Tim Hinrichs
tim at styra.com
Fri Jul 29 02:05:39 UTC 2016
I've never worked on the authentication details, so this may be off track,
but that error message indicates the failure is happening inside Congress's
oslo_policy.
Error message shows up here as a Python exception class.
https://github.com/openstack/congress/blob/master/congress/exception.py#L135
That exception class is instantiated only here
https://github.com/openstack/congress/blob/master/congress/common/policy.py#L93
The code that uses the instantiated exception class (which actually does
the enforcement):
https://github.com/openstack/congress/blob/7c2f4132b9693e7969e704cb9914963274c2c4a1/congress/api/webservice.py#L373
I don't remember off the top of my head how the default policy.json gets
created, but I'm sure the admin credentials will work. You might want to
ensure you're logged in as the admin with...
$ source openrc admin admin
Tim
On Thu, Jul 28, 2016 at 1:56 PM Aimee Ukasick <aimeeu.opensource at gmail.com>
wrote:
> I've gotten a little farther, which leads me to my next question -
> does the API support v3 token auth?
> or am I making mistakes in my manual testing?
>
> using the CLI on local devstack
> 1) did not modify openrc
> 2) source openrc
> 3) openstack token issue
> 4) openstack congress datasource list --os-auth-type v3token
> --os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
> http://192.168.56.101:5000/v3
> --os-project-id da9a9ba573c34c18a037fd04812d81bc --debug --verbose
>
> When the python-congressclient calls the API, this is the response:
> RESP BODY: Policy doesn't allow get_v1 to be performed.
> Request returned failure status: 403
>
> Log: http://paste.openstack.org/show/543445/
>
> So then I called the API directly:
> curl -X POST -H "Content-Type: application/json" -H "Cache-Control:
> no-cache"
> -d '{ "auth": {
> "identity": {
> "methods": ["password"],
> "password": {
> "user": {
> "name": "demo",
> "domain": { "id": "default" },
> "password": "secret"
> }
> }
> }
> }
> }' "http://192.168.56.101:5000/v3/auth/tokens"
>
> Response:
> {
> "token": {
> "issued_at": "2016-07-28T20:43:44.258137Z",
> "audit_ids": [
> "N6tnfbI5QvyRT4xEB7pGCA"
> ],
> "methods": [
> "password"
> ],
> "expires_at": "2016-07-28T21:43:44.258112Z",
> "user": {
> "domain": {
> "id": "default",
> "name": "Default"
> },
> "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
> "name": "demo"
> }
> }
> }
>
> Then:
> curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
> "Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources"
>
> Response:
> {
> "error": {
> "message": "The request you have made requires authentication.",
> "code": 401,
> "title": "Unauthorized"
> }
> }
>
> I'm feeling pretty stupid at the moment, like I've missed something
> obvious.
> Any ideas?
>
> Thanks!
>
> aimee
>
> On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni <anusha.iiitm at gmail.com>
> wrote:
> > Hi Aimee,
> >
> > Thanks for the investigation.
> >
> > I remember testing congress client with V3 password based authentication
> ,
> > which worked fine .. but never tested with token based .
> >
> > Please go ahead and fix it , if you think there is any issue .
> >
> >
> > On 22-Jul-2016 9:38 PM, "Aimee Ukasick" <aimeeu.opensource at gmail.com>
> wrote:
> >>
> >> All - I made the change to the auth_url that Anusha suggested.
> >> Same problem as before " Cannot authorize API client"
> >> 2016-07-22 14:13:50.835861 ***** calling policies_list =
> >> client.list_policy()*****
> >> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
> >> authorize API client.
> >>
> >> I used the token from the log output to query the Congress API with
> >> the keystone v3 token - no issues.
> >> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
> >> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
> >>
> >> So I really think the problem is that the python-congressclient
> >> doesn't support identity v3.
> >> I thought it did, but then I came across this:
> >> "support keystone v3 api and session based authentication "
> >> https://bugs.launchpad.net/python-congressclient/+bug/1564361
> >> This is currently assigned to Anusha.
> >> I'd like to start work on it since I am becoming familiar with keystone
> >> v3.
> >>
> >> Thoughts?
> >>
> >> aimee
> >>
> >>
> >>
> >>
> >> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
> >> <aimeeu.opensource at gmail.com> wrote:
> >> > Thanks Anusha! I will retest this today. I guess I need to learn more
> >> > about Horizon as well - thanks for pointing me in the right direction.
> >> >
> >> > aimee
> >> >
> >> >
> >> >
> >> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
> >> > <anusha.iiitm at gmail.com> wrote:
> >> >> Hi Aimee,
> >> >>
> >> >> I think devstack by default configured horizon to use v3 .
> >> >> For V2 authentication, from the logs , auth_url doesn't seem to be
> set
> >> >> explicitly to v2 auth_url .
> >> >>
> >> >> I have always set explicit v2 auth which worked fine.
> >> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
> >> >> authentication
> >> >>
> >> >> I have raised a patch, to take the auth_url from horizon settings
> >> >> instead of
> >> >> from request.
> >> >> https://review.openstack.org/#/c/345828/1
> >> >>
> >> >> Please set explict v2 auth_url as mentioned above in
> >> >> OPENSTACK_KESYTONE_URL
> >> >> in <horizon>/openstack_dashboard/local/local_settings.py and restart
> >> >> apache2
> >> >> server . Then v2 authentication should go through fine.
> >> >>
> >> >> For v3 , need to add relevant code for v3 authentication in
> >> >> contrib/horizon
> >> >> as presently it is hardcoded to use only v2. but yes, the code from
> >> >> plugin
> >> >> model patch is still a WIP , so doesn't work for v3 authentication I
> >> >> guess
> >> >> I'll have a look at it and let you know .
> >> >>
> >> >>
> >> >> Best Regards,
> >> >> Anusha
> >> >>
> >> >> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com> wrote:
> >> >>>
> >> >>> So clearly an authentication problem then.
> >> >>>
> >> >>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked
> with
> >> >>> Keystone authentication most recently, so she's your best bet.)
> >> >>>
> >> >>> Tim
> >> >>>
> >> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
> >> >>> <aimeeu.opensource at gmail.com> wrote:
> >> >>>>
> >> >>>> The Policy/Data Sources web page throws the same errors. I am
> >> >>>> planning to recheck direct API calls using v3 auth today or
> tomorrow.
> >> >>>>
> >> >>>> aimee
> >> >>>>
> >> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <tim at styra.com>
> wrote:
> >> >>>> > Hi Aimee,
> >> >>>> >
> >> >>>> > Do the other APIs work? That is, is it a general problem
> >> >>>> > authenticating, or
> >> >>>> > is the problem limited to list_policies?
> >> >>>> >
> >> >>>> > Tim
> >> >>>> >
> >> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
> >> >>>> > <aimeeu.opensource at gmail.com>
> >> >>>> > wrote:
> >> >>>> >>
> >> >>>> >> Hi all,
> >> >>>> >>
> >> >>>> >> I've been working on Policy UI (Horizon): Unable to get policies
> >> >>>> >> list (devstack) (
> https://bugs.launchpad.net/congress/+bug/1602837)
> >> >>>> >> for the past 3 days. Anusha is correct - it's an authentication
> >> >>>> >> problem, but I have not been able to fix it.
> >> >>>> >>
> >> >>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
> >> >>>> >> plugin model patchset (
> https://review.openstack.org/#/c/305063/3)
> >> >>>> >> and
> >> >>>> >> added try/catch blocks, logging statements (with error because I
> >> >>>> >> haven't figured out how to set the horizon log level).
> >> >>>> >>
> >> >>>> >>
> >> >>>> >> I am testing the code on devstack, which I cloned on 19 July
> 2016.
> >> >>>> >>
> >> >>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
> >> >>>> >> The failure happens trying to call
> >> >>>> >> congressclient.v1.client.Client.list_policies().
> >> >>>> >> When using v2 auth, the error message is "Unable to get policies
> >> >>>> >> list:
> >> >>>> >> The resource could not be found"
> >> >>>> >> When using v3 auth, the error message is "Cannot authorize API
> >> >>>> >> client"
> >> >>>> >>
> >> >>>> >> I am assuming that congressclient.v1.client.Client is
> >> >>>> >>
> >> >>>> >>
> >> >>>> >>
> >> >>>> >>
> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
> >> >>>> >> and that client.list_policy() calls list_policy()in the
> >> >>>> >> python-congressclient
> >> >>>> >> which in turn calls the Congress API. Is this correct?
> >> >>>> >>
> >> >>>> >> Any ideas why with v3 auth, the python-congressclient cannot
> >> >>>> >> authorize
> >> >>>> >> the
> >> >>>> >> call to the API?
> >> >>>> >>
> >> >>>> >> I looked at other horizon plugin models (ceilometer, neutron,
> >> >>>> >> nova,
> >> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
> >> >>>> >> created
> >> >>>> >> the client. While the code to create a client is not identical,
> >> >>>> >> it is vastly different from the code to create a client
> >> >>>> >> in contrib/horizon/congress.py.
> >> >>>> >>
> >> >>>> >> Thanks in advance for any pointers.
> >> >>>> >>
> >> >>>> >> aimee
> >> >>>> >>
> >> >>>> >> Aimee Ukasick (aimeeu)
> >> >>>> >>
> >> >>>> >> v2 log:
> >> >>>> >> 2016-07-20 22:13:56.501455
> >> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies
> =
> >> >>>> >> congress.policies_list(self.request) *****
> >> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
> >> >>>> >> /dashboard/admin/policies/
> >> >>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request)
> >> >>>> >> BEGIN*****
> >> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
> >> >>>> >> congressclient(request)*****
> >> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient
> >> >>>> >> BEGIN*****
> >> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
> >> >>>> >> http://192.168.56.103/identity
> >> >>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session
> >> >>>> >> *****
> >> >>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session
> >> >>>> >> BEGIN
> >> >>>> >> auth_url *****http://192.168.56.103/identity
> >> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
> >> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
> >> >>>> >> authenticate*****
> >> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
> >> >>>> >> 2016-07-20 22:14:30.238656 None
> >> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to
> >> >>>> >> authenticate*****
> >> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth
> *****
> >> >>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session
> >> >>>> >> END*****
> >> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
> >> >>>> >> 2016-07-20 22:14:30.244491 ***** calling
> >> >>>> >> congress_client.Client(**kwargs)
> >> >>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient
> END*****
> >> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
> >> >>>> >> client.list_policy()*****
> >> >>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
> >> >>>> >> authentication request to http://192.168.56.103/identity/tokens
> >> >>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request
> >> >>>> >> returned
> >> >>>> >> failure status: 404
> >> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
> >> >>>> >> resource
> >> >>>> >> could not be found.
> >> >>>> >>
> >> >>>> >>
> >> >>>> >> v3 log:
> >> >>>> >> 2016-07-20 22:09:22.912969
> >> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies
> =
> >> >>>> >> congress.policies_list(self.request) *****
> >> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
> >> >>>> >> /dashboard/admin/policies/
> >> >>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request)
> >> >>>> >> BEGIN*****
> >> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
> >> >>>> >> congressclient(request)*****
> >> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient
> >> >>>> >> BEGIN*****
> >> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
> >> >>>> >> http://192.168.56.103/identity
> >> >>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session
> >> >>>> >> *****
> >> >>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session
> >> >>>> >> BEGIN
> >> >>>> >> auth_url *****http://192.168.56.103/identity
> >> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
> >> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
> >> >>>> >> authenticate*****
> >> >>>> >> 2016-07-20 22:09:31.910042 auth_url=
> http://192.168.56.103/identity
> >> >>>> >> 2016-07-20 22:09:31.910175
> token=d46339f2d0b5455db54909d6ed95a9cc
> >> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
> >> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
> >> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
> >> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
> >> >>>> >> 2016-07-20 22:09:31.910992 None
> >> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to
> >> >>>> >> authenticate*****
> >> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth
> *****
> >> >>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session
> >> >>>> >> END*****
> >> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
> >> >>>> >> 2016-07-20 22:09:31.922676 ***** calling
> >> >>>> >> congress_client.Client(**kwargs)
> >> >>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient
> END*****
> >> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
> >> >>>> >> client.list_policy()*****
> >> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot
> >> >>>> >> authorize API client.
> >> >>>> >>
> >> >>>> >>
> >> >>>> >>
> >> >>>> >>
> __________________________________________________________________________
> >> >>>> >> OpenStack Development Mailing List (not for usage questions)
> >> >>>> >> Unsubscribe:
> >> >>>> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> >>>> >>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>> >
> >> >>>> >
> >> >>>> >
> >> >>>> >
> >> >>>> >
> __________________________________________________________________________
> >> >>>> > OpenStack Development Mailing List (not for usage questions)
> >> >>>> > Unsubscribe:
> >> >>>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> >>>> >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>> >
> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>>
> __________________________________________________________________________
> >> >>>> OpenStack Development Mailing List (not for usage questions)
> >> >>>> Unsubscribe:
> >> >>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> __________________________________________________________________________
> >> >>> OpenStack Development Mailing List (not for usage questions)
> >> >>> Unsubscribe:
> >> >>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>>
> >> >>
> >> >>
> >> >>
> >> >>
> __________________________________________________________________________
> >> >> OpenStack Development Mailing List (not for usage questions)
> >> >> Unsubscribe:
> >> >> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >> >>
> >>
> >>
> __________________________________________________________________________
> >> OpenStack Development Mailing List (not for usage questions)
> >> Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160729/8458a420/attachment.html>
More information about the OpenStack-dev
mailing list