[openstack-dev] [magnum] issue with admin_osc.keystone().trustee_domain_id
Spyros Trigazis
strigazi at gmail.com
Fri Sep 22 11:58:48 UTC 2017
Hi Greg,
Can you revisit your policy configuration and try again?
See here:
http://git.openstack.org/cgit/openstack/magnum/plain/etc/magnum/policy.json?h=stable/newton
Cheers,
Spyros
On 22 September 2017 at 13:49, Waines, Greg <Greg.Waines at windriver.com> wrote:
> Just another note on this ...
>
>
>
> We have
>
> · setup a ‘magnum’ domain, and
>
> · setup a ‘trustee_domain_admin’ user within that domain, and
>
> · gave that user and domain the admin role, and ß actually not
> 100% sure about this
>
> · referenced these items in magnum.conf
>
> o i.e. trustee_domain_name, trustee_domain_admin_name,
> trustee_domain_admin_password
>
>
>
> ... but still seeing the trust_domain_id issue in the admin context (see
> email below).
>
>
>
> let me know if anyone has some ideas on issue or next steps to look at,
>
> Greg.
>
>
>
>
>
> From: Greg Waines <Greg.Waines at windriver.com>
> Reply-To: "openstack-dev at lists.openstack.org"
> <openstack-dev at lists.openstack.org>
> Date: Wednesday, September 20, 2017 at 12:20 PM
> To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org>
> Cc: "Sun, Yicheng (Jerry)" <Jerry.Sun at windriver.com>
> Subject: [openstack-dev] [magnum] issue with
> admin_osc.keystone().trustee_domain_id
>
>
>
> We are in the process of integrating MAGNUM into our OpenStack distribution.
>
> We are working with NEWTON version of MAGNUM.
>
> We have the MAGNUM processes up and running and configured.
>
>
>
> However we are seeing the following error (see stack trace below) on
> virtually all MAGNUM CLI calls.
>
>
>
> The code where the stack trace is triggered:
>
> def add_policy_attributes(target):
>
> """Adds extra information for policy enforcement to raw target object"""
>
> admin_context = context.make_admin_context()
>
> admin_osc = clients.OpenStackClients(admin_context)
>
> trustee_domain_id = admin_osc.keystone().trustee_domain_id
>
> target['trustee_domain_id'] = trustee_domain_id
>
> return target
>
>
>
> ( NOTE: that this code was introduced upstream as part of a fix for
> CVE-2016-7404:
>
> https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14
> )
>
>
>
> Stack Trace:
>
> File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in
> callfunction
>
> result = f(self, *args, **kwargs)
>
>
>
> File "<string>", line 2, in get_all
>
>
>
> File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130,
> in wrapper
>
> exc=exception.PolicyNotAuthorized, action=action)
>
>
>
> File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97,
> in enforce
>
> # add_policy_attributes(target)
>
>
>
> File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106,
> in add_policy_attributes
>
> trustee_domain_id = admin_osc.keystone().trustee_domain_id
>
>
>
> File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line
> 237, in trustee_domain_id
>
> self.domain_admin_session
>
>
>
> File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py",
> line 136, in get_access
>
> self.auth_ref = self.get_auth_ref(session)
>
>
>
> File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py",
> line 167, in get_auth_ref
>
> authenticated=False, log=False, **rkwargs)
>
>
>
> File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line
> 681, in post
>
> return self.request(url, 'POST', **kwargs)
>
>
>
> File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101,
> in inner
>
> return wrapped(*args, **kwargs)
>
>
>
> File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line
> 570, in request
>
> raise exceptions.from_response(resp, method, url)
>
>
>
> NotFound: The resource could not be found. (HTTP 404)
>
>
>
>
>
> Any ideas on what our issue could be ?
>
> Or next steps to investigate ?
>
>
>
> thanks in advance,
>
> Greg.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list