[Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for horizon

Lei Zhang zhang.lei.fly at gmail.com
Thu Mar 12 14:17:27 UTC 2015


I created project for the user admin(6433222efd78459bb70ad9adbcfac418).

The token horizon is past is a project scope token. So it can not passed
the cloud_admin rule.
I changed the rule to the admin_id is a little trick, and it works.

On Thu, Mar 12, 2015 at 5:16 PM, Trelohan Christophe <
ctrelohan at voyages-sncf.com> wrote:

> Hello,
>
> Does user_id replaced in cloud_admin rule is id of cloud_admin user ?
> I don't think you can log in with cloud_admin user in horizon, it seems
> that without project created for an user, you can't log in
> in horizon.
>
> I'm also interested in this, I also followed the mentioned article, but
> when I try to login with "admin" user in "default" domain,
> I have the same error (not authorized to list_projects). Both with horizon
> and Rest API.
>
>
>
>
> De : Lei Zhang [mailto:zhang.lei.fly at gmail.com]
> Envoyé : jeudi 12 mars 2015 03:33
> À : openstack; OpenStack Development Mailing List
> Objet : [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api
> for horizon
>
> is there anyone tryed this and successfully?
>
> On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei.fly at gmail.com> wrote:
> Hi guys,
>
> I am setting up the keytone v3 api. Now I meet a issue about the
> `cloud_admin` policy.
>
> Base on the
> http://www.florentflament.com/blog/setting-keystone-v3-domains.html
> article, I modify the cloud_admin policy to
>
> ```
> "cloud_admin": "rule:admin_required and
> domain_id:ef0d30167f744401a0cbfcc938ea7d63",
> ```
>
> But the cloud_admin don't work as expected. I failed to open all the
> identity panel ( like http://<host>/horizon/identity/domains/)
> Horizon tell me" Error: Unable to retrieve project list."
> And keystone log warning:
>
> ```
> 2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-]
> enforce identity:list_user_projects: {'is_delegated_auth': False,
> 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418',
> 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None,
> 'consumer_id': None, 'token': <KeystoneToken
> (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at
> 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00',
> 'trust_id': None}, enforce
> /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100
> 2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not
> authorized to perform the requested action: identity:list_projects (Disable
> debug mode to suppress these details.)
> ```
>
> ​I make some debug and found that, the root cause is that the `context`
> variable in keystone has no `domain_id` field( like the above keystone
> log). So the `cloud_admin` rule failed.​ if i change the `cloud_admin` to
> following. It works as expected.
>
> ```
> "cloud_admin": "rule:admin_required and
> user_id:6433222efd78459bb70ad9adbcfac418",
> ```
>
> I found that in the keystone code[0], the domain_id only exist when it is
> a domain scope. But i believe that the horizon login token is a project
> one( I am not very sure this)
>
> ```
>     if token.project_scoped:
>         auth_context['project_id'] = token.project_id
>     elif token.domain_scoped:
>         auth_context['domain_id'] = token.domain_id
>     else:
>         LOG.debug('RBAC: Proceeding without project or domain scope')
>
> ```
>
> Is it a bug? or some wrong configuration?
>
>
> Following is my configuration.
>
>
> ```
> # /etc/keystone/keystone.conf
> [DEFAULT]
> debug=true
> verbose=true
> log_dir=/var/log/keystone
> [assignment]
> driver = keystone.assignment.backends.sql.Assignment
> [database]
> connection=mysql://xxxx:xxxx@controller/keystone
> [identity]
> driver=keystone.identity.backends.sql.Identity
> [memcache]
> servers=controller1:11211,controller2:11211,controller3:1121
> [token]
> provider=keystone.token.providers.uuid.Provider
> ```
>
> ```
> # /etc/openstack-dashboard/local_settings.py ( partly )
> POLICY_FILES_PATH = "/etc/openstack-dashboard/"
> POLICY_FILES = {
>     'identity': 'keystone_policy.json',
> }
> OPENSTACK_HOST = "127.0.0.1"
> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
> OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
> OPENSTACK_API_VERSIONS = {
>      "data_processing": 1.1,
>      "identity": 3,
>      "volume": 2
> }
> OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
> OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin'
> ```
>
> ​[0]
> https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58
>>
> --
> Lei Zhang
> Blog: http://xcodest.me
> twitter/weibo: @jeffrey4l
>
>
>
>
> --
> Lei Zhang
> Blog: http://xcodest.me
> twitter/weibo: @jeffrey4l
>



-- 
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150312/7c6bef49/attachment.html>


More information about the Openstack mailing list