[Openstack] [Horizon][Keystone] Migration to keystone v3
Davide Panarese
dpanarese at enter.eu
Sat Sep 29 14:43:44 UTC 2018
I found the source of the issue.
Into keystone configuration I set allow_rescope_scoped_token to false. Setting true this value horizon compute tab works.
But now the question is:
Why horizon try to rescope authentication token only for compute information?
Thanks
Davide Panarese
Cloud & Solution Architect
Enter | The open network and cloud provider
Via privata Stefanardo da Vimercate, 28
20128 Milano
enter.eu
Mobile: +39 3386369591
Phone: +39 02 25514 837
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
> On 28 Sep 2018, at 20:28, Erik McCormick <emccormick at cirrusseven.com> wrote:
>
> Add yourself as an admin of the domain. I think it uses a domain scored token for that tab. In V2 you would have only been admin of a project.
>
> -Erik
>
> On Fri, Sep 28, 2018, 11:47 AM Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>> wrote:
> It’s not nova-compute that report the issue but keystone authentication on computing tab.
> As I said before, openstack cli working properly with all services, nova included.
>
>
>
> Davide Panarese
> Cloud & Solution Architect
>
> Enter | The open network and cloud provider
>
> Via privata Stefanardo da Vimercate, 28
> 20128 Milano
> enter.eu <http://enter.eu/>
>
> Mobile: +39 3386369591
> Phone: +39 02 25514 837
>
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
>
>> On 28 Sep 2018, at 14:52, Eugen Block <eblock at nde.ag <mailto:eblock at nde.ag>> wrote:
>>
>> Since nova-compute reports that failure, what is your auth_url in /etc/nova/nova.conf in the [placement] section?
>>
>>
>>
>> Zitat von Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>>:
>>
>>> @Paul
>>> Yes keystone:5000 is my endpoint.
>>>
>>> @Eugen
>>> OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3> <http://%s/v3 <http://%s/v3>>" % OPENSTACK_HOST
>>>
>>> Still not working.
>>>
>>>
>>> Davide Panarese
>>>
>>>
>>>> On 28 Sep 2018, at 13:50, Eugen Block <eblock at nde.ag <mailto:eblock at nde.ag>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> what is your current horizon configuration?
>>>>
>>>> control:~ # grep KEYSTONE_URL /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
>>>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3 <http://%s:5000/v3>" % OPENSTACK_HOST
>>>>
>>>> Maybe this still configured to v2?
>>>>
>>>> Regards,
>>>> Eugen
>>>>
>>>>
>>>> Zitat von Davide Panarese <dpanarese at enter.eu <mailto:dpanarese at enter.eu>>:
>>>>
>>>>> Goodmorning every one,
>>>>> i'm finally approaching migration to keystone v3 but i want to maintain keystone v2 compatibility for all users that have custom scripts for authentication to our openstack.
>>>>> Migration seems to be pretty simple, change endpoint direct into database changing MailScanner ha rilevato un possibile tentativo di frode proveniente da "keystone:5000" http://keystone:5000/v2.0 <http://keystone:5000/v2.0> to http://keystone:5000 <http://keystone:5000/> <http://keystone:5000/ <http://keystone:5000/>>; Openstack client have the capability to add /v2.0 or /v3 at the end of url retrieved from catalog.
>>>>> But i'm stuck with horizon dashboard, login works but compute information are not available and error log show:
>>>>> “ Forbidden: You are not authorized to perform the requested action: rescope a scoped token. (HTTP 403)"
>>>>> All other tabs works properly.
>>>>> I think that is a keystone issue but i don't understand why with openstack client works perfectly and with horizon not.
>>>>> Anyone can explain what i missed in migration?
>>>>>
>>>>> Thanks a lot,
>>>>> Davide Panarese
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>>> Post to : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>>>
>>>> --
>>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
>>>> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A>
>>>>
>>>>
>>
>>
>>
>>
>> --
>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
>> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74 <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74>
>>
>>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
> Post to : openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=953D5406E1.AD5CD>
> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=953D5406E1.AD5CD> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20180929/8f63e836/attachment.html>
More information about the Openstack
mailing list