[openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Evan Bollig PhD
boll0107 at umn.edu
Wed Mar 8 23:07:56 UTC 2017
I am on Ocata with Shibboleth auth enabled. I noticed that Federated
users with the admin role no longer have authorization to use the
Admin** panels in Horizon related to Nova, Cinder and Neutron. All
regular Identity and Project tabs function, and there are no problems
with authorization for local admin users.
-----
These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
Defaults, Metadata, System Information
These result in logout: Instances, Volumes, Networks, Routers, Floating IPs
This is not present: Overview
-----
The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
openstack-dashboard-11.0.0-1.el7.noarch
python-django-horizon-11.0.0-1.el7.noarch
python2-keystonemiddleware-4.14.0-1.el7.noarch
python2-keystoneclient-3.10.0-1.el7.noarch
openstack-keystone-11.0.0-1.el7.noarch
python2-keystoneauth1-2.18.0-1.el7.noarch
python-keystone-11.0.0-1.el7.noarch
The errors I see in logs are similar to:
==> /var/log/horizon/horizon.log <==
2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
Traceback (most recent call last):
File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
line 53, in get_tenant_list
tenants, has_more = api.keystone.tenant_list(request)
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 351, in tenant_list
manager = VERSIONS.get_project_manager(request, admin=admin)
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 61, in get_project_manager
manager = keystoneclient(*args, **kwargs).projects
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 170, in keystoneclient
raise exceptions.NotAuthorized
NotAuthorized
Cheers,
-E
--
Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556
More information about the OpenStack-dev
mailing list