[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

Adam Young ayoung at redhat.com
Fri Jul 29 16:46:29 UTC 2016


On 07/28/2016 10:05 PM, Tim Hinrichs wrote:
>
> I've never worked on the authentication details, so this may be off 
> track, but that error message indicates the failure is happening 
> inside Congress's oslo_policy.
>
> Error message shows up here as a Python exception class.
> https://github.com/openstack/congress/blob/master/congress/exception.py#L135
>
> That exception class is instantiated only here
> https://github.com/openstack/congress/blob/master/congress/common/policy.py#L93 
>
>
> The code that uses the instantiated exception class (which actually 
> does the enforcement):
> https://github.com/openstack/congress/blob/7c2f4132b9693e7969e704cb9914963274c2c4a1/congress/api/webservice.py#L373
>
> I don't remember off the top of my head how the default policy.json 
> gets created, but I'm sure the admin credentials will work.  You might 
> want to ensure you're logged in as the admin with...
>
> $ source openrc admin admin


IN most projects, policy is enforced against an oslo-context object.  
That shouild abstract away the differences between V2 and V3 keystone 
token formats.

Make sure that the policy is not dying on something specific to one 
version or the other.  Post the actual rule executed, please.


>
> Tim
>
> On Thu, Jul 28, 2016 at 1:56 PM Aimee Ukasick 
> <aimeeu.opensource at gmail.com <mailto:aimeeu.opensource at gmail.com>> wrote:
>
>     I've gotten a little farther, which leads me to my next question -
>     does the API support v3 token auth?
>     or am I making mistakes in my manual testing?
>
>     using the CLI on local devstack
>     1) did not modify openrc
>     2) source openrc
>     3) openstack token issue
>     4)  openstack congress datasource list --os-auth-type v3token
>     --os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
>     http://192.168.56.101:5000/v3
>     --os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose
>
>     When the python-congressclient calls the API, this is the response:
>     RESP BODY: Policy doesn't allow get_v1 to be performed.
>     Request returned failure status: 403
>
>     Log: http://paste.openstack.org/show/543445/
>
>     So then I called the API directly:
>     curl -X POST -H "Content-Type: application/json" -H
>     "Cache-Control: no-cache"
>     -d '{ "auth": {
>         "identity": {
>           "methods": ["password"],
>           "password": {
>             "user": {
>               "name": "demo",
>               "domain": { "id": "default" },
>               "password": "secret"
>             }
>           }
>         }
>       }
>     }' "http://192.168.56.101:5000/v3/auth/tokens"
>
>     Response:
>     {
>       "token": {
>         "issued_at": "2016-07-28T20:43:44.258137Z",
>         "audit_ids": [
>           "N6tnfbI5QvyRT4xEB7pGCA"
>         ],
>         "methods": [
>           "password"
>         ],
>         "expires_at": "2016-07-28T21:43:44.258112Z",
>         "user": {
>           "domain": {
>             "id": "default",
>             "name": "Default"
>           },
>           "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
>           "name": "demo"
>         }
>       }
>     }
>
>     Then:
>     curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
>     "Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources"
>
>     Response:
>     {
>       "error": {
>         "message": "The request you have made requires authentication.",
>         "code": 401,
>         "title": "Unauthorized"
>       }
>     }
>
>     I'm feeling pretty stupid at the moment, like I've missed
>     something obvious.
>     Any ideas?
>
>     Thanks!
>
>     aimee
>
>     On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni
>     <anusha.iiitm at gmail.com <mailto:anusha.iiitm at gmail.com>> wrote:
>     > Hi Aimee,
>     >
>     > Thanks for the investigation.
>     >
>     > I remember testing congress client with V3 password based
>     authentication ,
>     > which worked fine .. but never tested with token based .
>     >
>     > Please go ahead and fix it , if you think there is any issue .
>     >
>     >
>     > On 22-Jul-2016 9:38 PM, "Aimee Ukasick"
>     <aimeeu.opensource at gmail.com <mailto:aimeeu.opensource at gmail.com>>
>     wrote:
>     >>
>     >> All - I made the change to the auth_url that Anusha suggested.
>     >> Same problem as before " Cannot authorize API client"
>     >> 2016-07-22 14:13:50.835861 ***** calling policies_list =
>     >> client.list_policy()*****
>     >> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>     >> authorize API client.
>     >>
>     >> I used the token from the log output to query the Congress API with
>     >> the keystone v3 token - no issues.
>     >> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>     >> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies"
>     >>
>     >> So I really think the problem is that the python-congressclient
>     >> doesn't support identity v3.
>     >> I thought it did, but then I came across this:
>     >> "support keystone v3 api and session based authentication "
>     >> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>     >> This is currently assigned to Anusha.
>     >> I'd like to start work on it since I am becoming familiar with
>     keystone
>     >> v3.
>     >>
>     >> Thoughts?
>     >>
>     >> aimee
>     >>
>     >>
>     >>
>     >>
>     >> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>     >> <aimeeu.opensource at gmail.com
>     <mailto:aimeeu.opensource at gmail.com>> wrote:
>     >> > Thanks Anusha! I will retest this today. I guess I need to
>     learn more
>     >> > about Horizon as well - thanks for pointing me in the right
>     direction.
>     >> >
>     >> > aimee
>     >> >
>     >> >
>     >> >
>     >> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>     >> > <anusha.iiitm at gmail.com <mailto:anusha.iiitm at gmail.com>> wrote:
>     >> >> Hi Aimee,
>     >> >>
>     >> >> I think devstack by default configured horizon to use v3 .
>     >> >> For V2 authentication, from the logs , auth_url doesn't seem
>     to be set
>     >> >> explicitly to v2 auth_url .
>     >> >>
>     >> >> I have always set explicit v2 auth which worked fine.
>     >> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
>     >> >> authentication
>     >> >>
>     >> >> I have raised a patch, to take the auth_url from horizon
>     settings
>     >> >> instead of
>     >> >> from request.
>     >> >> https://review.openstack.org/#/c/345828/1
>     >> >>
>     >> >> Please set explict v2 auth_url as mentioned above in
>     >> >> OPENSTACK_KESYTONE_URL
>     >> >> in <horizon>/openstack_dashboard/local/local_settings.py and
>     restart
>     >> >> apache2
>     >> >> server . Then v2 authentication should go through fine.
>     >> >>
>     >> >> For v3 , need to add relevant code for v3 authentication in
>     >> >> contrib/horizon
>     >> >> as presently it is hardcoded to use only v2. but yes, the
>     code from
>     >> >> plugin
>     >> >> model patch is still a WIP , so doesn't work for v3
>     authentication I
>     >> >> guess
>     >> >> I'll have a look at it and let you know .
>     >> >>
>     >> >>
>     >> >> Best Regards,
>     >> >> Anusha
>     >> >>
>     >> >> On 21 July 2016 at 21:56, Tim Hinrichs <tim at styra.com
>     <mailto:tim at styra.com>> wrote:
>     >> >>>
>     >> >>> So clearly an authentication problem then.
>     >> >>>
>     >> >>> Anusha, do you have any ideas? (Aimee, I think Anusha has
>     worked with
>     >> >>> Keystone authentication most recently, so she's your best bet.)
>     >> >>>
>     >> >>> Tim
>     >> >>>
>     >> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>     >> >>> <aimeeu.opensource at gmail.com
>     <mailto:aimeeu.opensource at gmail.com>> wrote:
>     >> >>>>
>     >> >>>> The  Policy/Data Sources web page throws the same errors. I am
>     >> >>>> planning to recheck direct API calls using v3 auth today
>     or tomorrow.
>     >> >>>>
>     >> >>>> aimee
>     >> >>>>
>     >> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs
>     <tim at styra.com <mailto:tim at styra.com>> wrote:
>     >> >>>> > Hi Aimee,
>     >> >>>> >
>     >> >>>> > Do the other APIs work? That is, is it a general problem
>     >> >>>> > authenticating, or
>     >> >>>> > is the problem limited to list_policies?
>     >> >>>> >
>     >> >>>> > Tim
>     >> >>>> >
>     >> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>     >> >>>> > <aimeeu.opensource at gmail.com
>     <mailto:aimeeu.opensource at gmail.com>>
>     >> >>>> > wrote:
>     >> >>>> >>
>     >> >>>> >> Hi all,
>     >> >>>> >>
>     >> >>>> >> I've been working on Policy UI (Horizon): Unable to get
>     policies
>     >> >>>> >> list (devstack)
>     (https://bugs.launchpad.net/congress/+bug/1602837)
>     >> >>>> >> for the past 3 days. Anusha is correct - it's an
>     authentication
>     >> >>>> >> problem, but I have not been able to fix it.
>     >> >>>> >>
>     >> >>>> >> I grabbed the relevant code in congress.py from
>     Anusha's horizon
>     >> >>>> >> plugin model patchset
>     (https://review.openstack.org/#/c/305063/3)
>     >> >>>> >> and
>     >> >>>> >> added try/catch blocks, logging statements (with error
>     because I
>     >> >>>> >> haven't figured out how to set the horizon log level).
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >> I am testing the code on devstack, which I cloned on 19
>     July 2016.
>     >> >>>> >>
>     >> >>>> >> With both v2 and v3 auth, congressclient.v1.client is
>     created.
>     >> >>>> >> The failure happens trying to call
>     >> >>>> >> congressclient.v1.client.Client.list_policies().
>     >> >>>> >> When using v2 auth, the error message is "Unable to get
>     policies
>     >> >>>> >> list:
>     >> >>>> >> The resource could not be found"
>     >> >>>> >> When using v3 auth, the error message is "Cannot
>     authorize API
>     >> >>>> >> client"
>     >> >>>> >>
>     >> >>>> >> I am assuming that congressclient.v1.client.Client is
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >>
>     https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>     >> >>>> >> and that client.list_policy() calls list_policy()in the
>     >> >>>> >> python-congressclient
>     >> >>>> >> which in turn calls the Congress API. Is this correct?
>     >> >>>> >>
>     >> >>>> >> Any ideas why with v3 auth, the python-congressclient
>     cannot
>     >> >>>> >> authorize
>     >> >>>> >> the
>     >> >>>> >> call to the API?
>     >> >>>> >>
>     >> >>>> >> I looked at other horizon plugin models (ceilometer,
>     neutron,
>     >> >>>> >> nova,
>     >> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see
>     how they
>     >> >>>> >> created
>     >> >>>> >> the client. While the code to create a client is not
>     identical,
>     >> >>>> >> it is vastly different from the code to create a client
>     >> >>>> >> in contrib/horizon/congress.py.
>     >> >>>> >>
>     >> >>>> >> Thanks in advance for any pointers.
>     >> >>>> >>
>     >> >>>> >> aimee
>     >> >>>> >>
>     >> >>>> >> Aimee Ukasick (aimeeu)
>     >> >>>> >>
>     >> >>>> >> v2 log:
>     >> >>>> >> 2016-07-20 22:13:56.501455
>     >> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling
>     policies =
>     >> >>>> >> congress.policies_list(self.request) *****
>     >> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
>     >> >>>> >> /dashboard/admin/policies/
>     >> >>>> >> 2016-07-20 22:14:30.238352 *****
>     congress.policies_list(request)
>     >> >>>> >> BEGIN*****
>     >> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
>     >> >>>> >> congressclient(request)*****
>     >> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient
>     >> >>>> >> BEGIN*****
>     >> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
>     >> >>>> >> http://192.168.56.103/identity
>     >> >>>> >> 2016-07-20 22:14:30.238479 ***** calling
>     get_keystone_session
>     >> >>>> >> *****
>     >> >>>> >> 2016-07-20 22:14:30.238505 *****
>     congress.get_keystone_session
>     >> >>>> >> BEGIN
>     >> >>>> >> auth_url *****http://192.168.56.103/identity
>     >> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
>     >> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
>     >> >>>> >> authenticate*****
>     >> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
>     >> >>>> >> 2016-07-20 22:14:30.238656 None
>     >> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2
>     plugin to
>     >> >>>> >> authenticate*****
>     >> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with
>     auth *****
>     >> >>>> >> 2016-07-20 22:14:30.244407 *****
>     congress.get_keystone_session
>     >> >>>> >> END*****
>     >> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
>     >> >>>> >> 2016-07-20 22:14:30.244491 ***** calling
>     >> >>>> >> congress_client.Client(**kwargs)
>     >> >>>> >> 2016-07-20 22:14:30.247830 *****
>     congress.congressclient END*****
>     >> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
>     >> >>>> >> client.list_policy()*****
>     >> >>>> >> 2016-07-20 22:14:30.248012
>     DEBUG:keystoneauth.identity.v2:Making
>     >> >>>> >> authentication request to
>     http://192.168.56.103/identity/tokens
>     >> >>>> >> 2016-07-20 22:14:30.255023
>     DEBUG:keystoneauth.session:Request
>     >> >>>> >> returned
>     >> >>>> >> failure status: 404
>     >> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
>     >> >>>> >> resource
>     >> >>>> >> could not be found.
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >> v3 log:
>     >> >>>> >> 2016-07-20 22:09:22.912969
>     >> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling
>     policies =
>     >> >>>> >> congress.policies_list(self.request) *****
>     >> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
>     >> >>>> >> /dashboard/admin/policies/
>     >> >>>> >> 2016-07-20 22:09:31.908122 *****
>     congress.policies_list(request)
>     >> >>>> >> BEGIN*****
>     >> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
>     >> >>>> >> congressclient(request)*****
>     >> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient
>     >> >>>> >> BEGIN*****
>     >> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
>     >> >>>> >> http://192.168.56.103/identity
>     >> >>>> >> 2016-07-20 22:09:31.909217 ***** calling
>     get_keystone_session
>     >> >>>> >> *****
>     >> >>>> >> 2016-07-20 22:09:31.909356 *****
>     congress.get_keystone_session
>     >> >>>> >> BEGIN
>     >> >>>> >> auth_url *****http://192.168.56.103/identity
>     >> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
>     >> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
>     >> >>>> >> authenticate*****
>     >> >>>> >> 2016-07-20 22:09:31.910042
>     auth_url=http://192.168.56.103/identity
>     >> >>>> >> 2016-07-20 22:09:31.910175
>     token=d46339f2d0b5455db54909d6ed95a9cc
>     >> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
>     >> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
>     >> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
>     >> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
>     >> >>>> >> 2016-07-20 22:09:31.910992 None
>     >> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3
>     plugin to
>     >> >>>> >> authenticate*****
>     >> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with
>     auth *****
>     >> >>>> >> 2016-07-20 22:09:31.922260 *****
>     congress.get_keystone_session
>     >> >>>> >> END*****
>     >> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
>     >> >>>> >> 2016-07-20 22:09:31.922676 ***** calling
>     >> >>>> >> congress_client.Client(**kwargs)
>     >> >>>> >> 2016-07-20 22:09:31.922822 *****
>     congress.congressclient END*****
>     >> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
>     >> >>>> >> client.list_policy()*****
>     >> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list:
>     Cannot
>     >> >>>> >> authorize API client.
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >>
>     >> >>>> >>
>     __________________________________________________________________________
>     >> >>>> >> OpenStack Development Mailing List (not for usage
>     questions)
>     >> >>>> >> Unsubscribe:
>     >> >>>> >>
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> >>>> >>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >> >>>> >
>     >> >>>> >
>     >> >>>> >
>     >> >>>> >
>     >> >>>> >
>     __________________________________________________________________________
>     >> >>>> > OpenStack Development Mailing List (not for usage questions)
>     >> >>>> > Unsubscribe:
>     >> >>>> >
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> >>>> >
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >> >>>> >
>     >> >>>>
>     >> >>>>
>     >> >>>>
>     >> >>>>
>     __________________________________________________________________________
>     >> >>>> OpenStack Development Mailing List (not for usage questions)
>     >> >>>> Unsubscribe:
>     >> >>>>
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> >>>>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >> >>>
>     >> >>>
>     >> >>>
>     >> >>>
>     __________________________________________________________________________
>     >> >>> OpenStack Development Mailing List (not for usage questions)
>     >> >>> Unsubscribe:
>     >> >>>
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> >>>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >> >>>
>     >> >>
>     >> >>
>     >> >>
>     >> >>
>     __________________________________________________________________________
>     >> >> OpenStack Development Mailing List (not for usage questions)
>     >> >> Unsubscribe:
>     >> >>
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> >>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >> >>
>     >>
>     >>
>     __________________________________________________________________________
>     >> OpenStack Development Mailing List (not for usage questions)
>     >> Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >
>     >
>     >
>     __________________________________________________________________________
>     > OpenStack Development Mailing List (not for usage questions)
>     > Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>     >
>
>     __________________________________________________________________________
>     OpenStack Development Mailing List (not for usage questions)
>     Unsubscribe:
>     OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>     <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160729/32a9ca32/attachment.html>


More information about the OpenStack-dev mailing list