[horizon] Yoga: Syntax of new Parameter SYSTEM_SCOPE_SERVICES in local_settings.py

Crandale clemens.hardewig at crandale.de
Wed May 4 12:29:28 UTC 2022

Hi there,

We have started to analyze Openstack Yoga a bit and there, one of the major new feature is the activation of scope based token for regular use in nova. While after some long lasting back and forth in configuring our role assignments and policies we could make it work on one of our test environments (Ubuntu) via Openstack SDK, however, we are still struggling with some system scoped API calls to nova from horizon.

We have an admin user for the domain 'Default' who has set the role ‚admin' for 'system all':
| Role  | User          | Group | Project | Domain | System | Inherited |
| admin | admin at Default |       |         |        | all    | False     |

We have configured in local_settings.py:

SYSTEM_SCOPE_SERVICES = ['compute', 'image', 'volume', 'network‘]

(Note: this config line has been reverse engineered from horizon source code as the syntax is nowhere possible to be found in the docs yet … - so: not sure if it is correct) 

Policy files are identical for horizon as for the services.

For the user admin, we then get an additional field in the domain/project top line menu adding a ‚system scope‘ switch (this is what we understand how it should look like) and - when switching to system scope - also a system menu in the sidebar (also as expected).

If we then go to System->Systeminformation to see the nova service list, we get an error ‚Unable to get nova services list‘, given reason is an error: 'Policy doesn’t allow os_compute_api:os-services:list to be performed (HTTP 403)‘. Informations for network and volume services are shown normally (here scoped tokens are not activated yet).

Further analysis indicated that horizon is using still a project-scoped token and not a system-scoped one for these requests although ’system scope’ is active. 

Putting the same request from Openstack SDK with the same user admin results in

$ openstack compute service list
/usr/lib/python3/dist-packages/secretstorage/dhcrypto.py:15: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
/usr/lib/python3/dist-packages/secretstorage/util.py:19: CryptographyDeprecationWarning: int_from_bytes is deprecated, use int.from_bytes instead
  from cryptography.utils import int_from_bytes
| ID | Binary           | Host        | Zone     | Status  | State | Updated At                 |
|  4 | nova-consoleauth | controller  | nova     | enabled | down  | 2019-10-31T14:59:33.000000 |
|  5 | nova-scheduler   | controller  | nova     | enabled | up    | 2022-05-04T08:52:48.000000 |
|  6 | nova-conductor   | controller  | nova     | enabled | up    | 2022-05-04T08:52:42.000000 |
| 12 | nova-compute     | compute3    | Crandale | enabled | up    | 2022-05-04T08:52:40.000000 |
| 13 | nova-conductor   | controller3 | nova     | enabled | down  | 2020-06-28T14:45:31.000000 |
| 14 | nova-scheduler   | controller3 | nova     | enabled | down  | 2020-06-28T14:45:24.000000 |

Which indicates that role assignments to user admin are correct. The same command with -—debug also proves that a system scoped token is generated.

Before I consider to open a bug towards Horizon: Could someone indicate to me whether the syntax of the config needs some adaptions to make it work or confirm that it is correct?

Is there any other aspect we overlooked?

I am looking forward to your reply

Best regards


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220504/46d3019a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3911 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220504/46d3019a/attachment-0001.bin>

More information about the openstack-discuss mailing list