[openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Evan Bollig PhD boll0107 at umn.edu
Wed Mar 8 23:07:56 UTC 2017

I am on Ocata with Shibboleth auth enabled. I noticed that Federated
users with the admin role no longer have authorization to use the
Admin** panels in Horizon related to Nova, Cinder and Neutron. All
regular Identity and Project tabs function, and there are no problems
with authorization for local admin users.

These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
Defaults, Metadata, System Information

These result in logout: Instances, Volumes, Networks, Routers, Floating IPs

This is not present: Overview

The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:

The errors I see in logs are similar to:

==> /var/log/horizon/horizon.log <==
2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
line 53, in get_tenant_list
    tenants, has_more = api.keystone.tenant_list(request)
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 351, in tenant_list
    manager = VERSIONS.get_project_manager(request, admin=admin)
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 61, in get_project_manager
    manager = keystoneclient(*args, **kwargs).projects
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 170, in keystoneclient
    raise exceptions.NotAuthorized

Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556

More information about the OpenStack-dev mailing list