[openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Boris Bobrov breton at cynicmansion.ru
Tue Mar 21 12:44:29 UTC 2017


Hi,

Oh wow, for some reason my message was not sent to the list.

On 03/20/2017 09:03 PM, Evan Bollig PhD wrote:
> Hey Boris,
> 
> Any updates on this?
> 
> Cheers,
> -E
> --
> Evan F. Bollig, PhD
> Scientific Computing Consultant, Application Developer | Scientific
> Computing Solutions (SCS)
> Minnesota Supercomputing Institute | msi.umn.edu
> University of Minnesota | umn.edu
> boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556
> 
> 
> On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhD <boll0107 at umn.edu> wrote:
>> Hey Boris,
>>
>> Which mapping? Hope you were looking for the shibboleth user
>> mapping. Also, hope this is the right way to share the paste (first
>> time using this):
>> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/

This is probably part of bug
https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure
though. Could you please file new bugreport?

As for now, you could try doing auto-provisioning using new capabilities
from Ocata:
https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning

>> Cheers,
>> -E
>> --
>> Evan F. Bollig, PhD
>> Scientific Computing Consultant, Application Developer | Scientific
>> Computing Solutions (SCS)
>> Minnesota Supercomputing Institute | msi.umn.edu
>> University of Minnesota | umn.edu
>> boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556
>>
>>
>> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov <breton at cynicmansion.ru> wrote:
>>> Hi,
>>>
>>> Please paste your mapping to paste.openstack.org
>>>
>>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
>>>> I am on Ocata with Shibboleth auth enabled. I noticed that Federated
>>>> users with the admin role no longer have authorization to use the
>>>> Admin** panels in Horizon related to Nova, Cinder and Neutron. All
>>>> regular Identity and Project tabs function, and there are no problems
>>>> with authorization for local admin users.
>>>>
>>>> -----
>>>> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
>>>> Defaults, Metadata, System Information
>>>>
>>>> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs
>>>>
>>>> This is not present: Overview
>>>> -----
>>>>
>>>> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
>>>> openstack-dashboard-11.0.0-1.el7.noarch
>>>> python-django-horizon-11.0.0-1.el7.noarch
>>>> python2-keystonemiddleware-4.14.0-1.el7.noarch
>>>> python2-keystoneclient-3.10.0-1.el7.noarch
>>>> openstack-keystone-11.0.0-1.el7.noarch
>>>> python2-keystoneauth1-2.18.0-1.el7.noarch
>>>> python-keystone-11.0.0-1.el7.noarch
>>>>
>>>> The errors I see in logs are similar to:
>>>>
>>>> ==> /var/log/horizon/horizon.log <==
>>>> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
>>>> Traceback (most recent call last):
>>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
>>>> line 53, in get_tenant_list
>>>>     tenants, has_more = api.keystone.tenant_list(request)
>>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>>> line 351, in tenant_list
>>>>     manager = VERSIONS.get_project_manager(request, admin=admin)
>>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>>> line 61, in get_project_manager
>>>>     manager = keystoneclient(*args, **kwargs).projects
>>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>>> line 170, in keystoneclient
>>>>     raise exceptions.NotAuthorized
>>>> NotAuthorized
>>>>
>>>> Cheers,
>>>> -E
>>>> --
>>>> Evan F. Bollig, PhD
>>>> Scientific Computing Consultant, Application Developer | Scientific
>>>> Computing Solutions (SCS)
>>>> Minnesota Supercomputing Institute | msi.umn.edu
>>>> University of Minnesota | umn.edu
>>>> boll0107 at umn.edu | 612-624-1447 | Walter Lib Rm 556
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list