[openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Wed, 08 Mar 2017 15:11:24 -0800 

I am on Ocata with Shibboleth auth enabled. I noticed that Federated
users with the admin role no longer have authorization to use the
Admin** panels in Horizon related to Nova, Cinder and Neutron. All
regular Identity and Project tabs function, and there are no problems
with authorization for local admin users.

-----
These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
Defaults, Metadata, System Information

These result in logout: Instances, Volumes, Networks, Routers, Floating IPs

This is not present: Overview
-----

The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
openstack-dashboard-11.0.0-1.el7.noarch
python-django-horizon-11.0.0-1.el7.noarch
python2-keystonemiddleware-4.14.0-1.el7.noarch
python2-keystoneclient-3.10.0-1.el7.noarch
openstack-keystone-11.0.0-1.el7.noarch
python2-keystoneauth1-2.18.0-1.el7.noarch
python-keystone-11.0.0-1.el7.noarch

The errors I see in logs are similar to:

==> /var/log/horizon/horizon.log <==
2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
Traceback (most recent call last):
  File 
"/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
line 53, in get_tenant_list
    tenants, has_more = api.keystone.tenant_list(request)
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 351, in tenant_list
    manager = VERSIONS.get_project_manager(request, admin=admin)
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 61, in get_project_manager
    manager = keystoneclient(*args, **kwargs).projects
  File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
line 170, in keystoneclient
    raise exceptions.NotAuthorized
NotAuthorized

Cheers,
-E
--
Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to