On 07/28/2016 10:05 PM, Tim Hinrichs wrote:
I've never worked on the authentication details, so this may be off
track, but that error message indicates the failure is happening
inside Congress's oslo_policy.
Error message shows up here as a Python exception class.
https://github.com/openstack/congress/blob/master/congress/exception.py#L135
That exception class is instantiated only here
https://github.com/openstack/congress/blob/master/congress/common/policy.py#L93
The code that uses the instantiated exception class (which actually
does the enforcement):
https://github.com/openstack/congress/blob/7c2f4132b9693e7969e704cb9914963274c2c4a1/congress/api/webservice.py#L373
I don't remember off the top of my head how the default policy.json
gets created, but I'm sure the admin credentials will work. You might
want to ensure you're logged in as the admin with...
$ source openrc admin admin
IN most projects, policy is enforced against an oslo-context object.
That shouild abstract away the differences between V2 and V3 keystone
token formats.
Make sure that the policy is not dying on something specific to one
version or the other. Post the actual rule executed, please.
Tim
On Thu, Jul 28, 2016 at 1:56 PM Aimee Ukasick
<[email protected] <mailto:[email protected]>> wrote:
I've gotten a little farther, which leads me to my next question -
does the API support v3 token auth?
or am I making mistakes in my manual testing?
using the CLI on local devstack
1) did not modify openrc
2) source openrc
3) openstack token issue
4) openstack congress datasource list --os-auth-type v3token
--os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
http://192.168.56.101:5000/v3
--os-project-id da9a9ba573c34c18a037fd04812d81bc --debug --verbose
When the python-congressclient calls the API, this is the response:
RESP BODY: Policy doesn't allow get_v1 to be performed.
Request returned failure status: 403
Log: http://paste.openstack.org/show/543445/
So then I called the API directly:
curl -X POST -H "Content-Type: application/json" -H
"Cache-Control: no-cache"
-d '{ "auth": {
"identity": {
"methods": ["password"],
"password": {
"user": {
"name": "demo",
"domain": { "id": "default" },
"password": "secret"
}
}
}
}
}' "http://192.168.56.101:5000/v3/auth/tokens";
Response:
{
"token": {
"issued_at": "2016-07-28T20:43:44.258137Z",
"audit_ids": [
"N6tnfbI5QvyRT4xEB7pGCA"
],
"methods": [
"password"
],
"expires_at": "2016-07-28T21:43:44.258112Z",
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f2bf5189bbd7466cbecc1b1315cff3b5",
"name": "demo"
}
}
}
Then:
curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
"Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources";
Response:
{
"error": {
"message": "The request you have made requires authentication.",
"code": 401,
"title": "Unauthorized"
}
}
I'm feeling pretty stupid at the moment, like I've missed
something obvious.
Any ideas?
Thanks!
aimee
On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni
<[email protected] <mailto:[email protected]>> wrote:
> Hi Aimee,
>
> Thanks for the investigation.
>
> I remember testing congress client with V3 password based
authentication ,
> which worked fine .. but never tested with token based .
>
> Please go ahead and fix it , if you think there is any issue .
>
>
> On 22-Jul-2016 9:38 PM, "Aimee Ukasick"
<[email protected] <mailto:[email protected]>>
wrote:
>>
>> All - I made the change to the auth_url that Anusha suggested.
>> Same problem as before " Cannot authorize API client"
>> 2016-07-22 14:13:50.835861 ***** calling policies_list =
>> client.list_policy()*****
>> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>> authorize API client.
>>
>> I used the token from the log output to query the Congress API with
>> the keystone v3 token - no issues.
>> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies";
>>
>> So I really think the problem is that the python-congressclient
>> doesn't support identity v3.
>> I thought it did, but then I came across this:
>> "support keystone v3 api and session based authentication "
>> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>> This is currently assigned to Anusha.
>> I'd like to start work on it since I am becoming familiar with
keystone
>> v3.
>>
>> Thoughts?
>>
>> aimee
>>
>>
>>
>>
>> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>> <[email protected]
<mailto:[email protected]>> wrote:
>> > Thanks Anusha! I will retest this today. I guess I need to
learn more
>> > about Horizon as well - thanks for pointing me in the right
direction.
>> >
>> > aimee
>> >
>> >
>> >
>> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>> > <[email protected] <mailto:[email protected]>> wrote:
>> >> Hi Aimee,
>> >>
>> >> I think devstack by default configured horizon to use v3 .
>> >> For V2 authentication, from the logs , auth_url doesn't seem
to be set
>> >> explicitly to v2 auth_url .
>> >>
>> >> I have always set explicit v2 auth which worked fine.
>> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2
>> >> authentication
>> >>
>> >> I have raised a patch, to take the auth_url from horizon
settings
>> >> instead of
>> >> from request.
>> >> https://review.openstack.org/#/c/345828/1
>> >>
>> >> Please set explict v2 auth_url as mentioned above in
>> >> OPENSTACK_KESYTONE_URL
>> >> in <horizon>/openstack_dashboard/local/local_settings.py and
restart
>> >> apache2
>> >> server . Then v2 authentication should go through fine.
>> >>
>> >> For v3 , need to add relevant code for v3 authentication in
>> >> contrib/horizon
>> >> as presently it is hardcoded to use only v2. but yes, the
code from
>> >> plugin
>> >> model patch is still a WIP , so doesn't work for v3
authentication I
>> >> guess
>> >> I'll have a look at it and let you know .
>> >>
>> >>
>> >> Best Regards,
>> >> Anusha
>> >>
>> >> On 21 July 2016 at 21:56, Tim Hinrichs <[email protected]
<mailto:[email protected]>> wrote:
>> >>>
>> >>> So clearly an authentication problem then.
>> >>>
>> >>> Anusha, do you have any ideas? (Aimee, I think Anusha has
worked with
>> >>> Keystone authentication most recently, so she's your best bet.)
>> >>>
>> >>> Tim
>> >>>
>> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>> >>> <[email protected]
<mailto:[email protected]>> wrote:
>> >>>>
>> >>>> The Policy/Data Sources web page throws the same errors. I am
>> >>>> planning to recheck direct API calls using v3 auth today
or tomorrow.
>> >>>>
>> >>>> aimee
>> >>>>
>> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs
<[email protected] <mailto:[email protected]>> wrote:
>> >>>> > Hi Aimee,
>> >>>> >
>> >>>> > Do the other APIs work? That is, is it a general problem
>> >>>> > authenticating, or
>> >>>> > is the problem limited to list_policies?
>> >>>> >
>> >>>> > Tim
>> >>>> >
>> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>> >>>> > <[email protected]
<mailto:[email protected]>>
>> >>>> > wrote:
>> >>>> >>
>> >>>> >> Hi all,
>> >>>> >>
>> >>>> >> I've been working on Policy UI (Horizon): Unable to get
policies
>> >>>> >> list (devstack)
(https://bugs.launchpad.net/congress/+bug/1602837)
>> >>>> >> for the past 3 days. Anusha is correct - it's an
authentication
>> >>>> >> problem, but I have not been able to fix it.
>> >>>> >>
>> >>>> >> I grabbed the relevant code in congress.py from
Anusha's horizon
>> >>>> >> plugin model patchset
(https://review.openstack.org/#/c/305063/3)
>> >>>> >> and
>> >>>> >> added try/catch blocks, logging statements (with error
because I
>> >>>> >> haven't figured out how to set the horizon log level).
>> >>>> >>
>> >>>> >>
>> >>>> >> I am testing the code on devstack, which I cloned on 19
July 2016.
>> >>>> >>
>> >>>> >> With both v2 and v3 auth, congressclient.v1.client is
created.
>> >>>> >> The failure happens trying to call
>> >>>> >> congressclient.v1.client.Client.list_policies().
>> >>>> >> When using v2 auth, the error message is "Unable to get
policies
>> >>>> >> list:
>> >>>> >> The resource could not be found"
>> >>>> >> When using v3 auth, the error message is "Cannot
authorize API
>> >>>> >> client"
>> >>>> >>
>> >>>> >> I am assuming that congressclient.v1.client.Client is
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >>
https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>> >>>> >> and that client.list_policy() calls list_policy()in the
>> >>>> >> python-congressclient
>> >>>> >> which in turn calls the Congress API. Is this correct?
>> >>>> >>
>> >>>> >> Any ideas why with v3 auth, the python-congressclient
cannot
>> >>>> >> authorize
>> >>>> >> the
>> >>>> >> call to the API?
>> >>>> >>
>> >>>> >> I looked at other horizon plugin models (ceilometer,
neutron,
>> >>>> >> nova,
>> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see
how they
>> >>>> >> created
>> >>>> >> the client. While the code to create a client is not
identical,
>> >>>> >> it is vastly different from the code to create a client
>> >>>> >> in contrib/horizon/congress.py.
>> >>>> >>
>> >>>> >> Thanks in advance for any pointers.
>> >>>> >>
>> >>>> >> aimee
>> >>>> >>
>> >>>> >> Aimee Ukasick (aimeeu)
>> >>>> >>
>> >>>> >> v2 log:
>> >>>> >> 2016-07-20 22:13:56.501455
>> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling
policies =
>> >>>> >> congress.policies_list(self.request) *****
>> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path=
>> >>>> >> /dashboard/admin/policies/
>> >>>> >> 2016-07-20 22:14:30.238352 *****
congress.policies_list(request)
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client =
>> >>>> >> congressclient(request)*****
>> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url=
>> >>>> >> http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:14:30.238479 ***** calling
get_keystone_session
>> >>>> >> *****
>> >>>> >> 2016-07-20 22:14:30.238505 *****
congress.get_keystone_session
>> >>>> >> BEGIN
>> >>>> >> auth_url *****http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity
>> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state=
>> >>>> >> 2016-07-20 22:14:30.238656 None
>> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2
plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with
auth *****
>> >>>> >> 2016-07-20 22:14:30.244407 *****
congress.get_keystone_session
>> >>>> >> END*****
>> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne
>> >>>> >> 2016-07-20 22:14:30.244491 ***** calling
>> >>>> >> congress_client.Client(**kwargs)
>> >>>> >> 2016-07-20 22:14:30.247830 *****
congress.congressclient END*****
>> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list =
>> >>>> >> client.list_policy()*****
>> >>>> >> 2016-07-20 22:14:30.248012
DEBUG:keystoneauth.identity.v2:Making
>> >>>> >> authentication request to
http://192.168.56.103/identity/tokens
>> >>>> >> 2016-07-20 22:14:30.255023
DEBUG:keystoneauth.session:Request
>> >>>> >> returned
>> >>>> >> failure status: 404
>> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The
>> >>>> >> resource
>> >>>> >> could not be found.
>> >>>> >>
>> >>>> >>
>> >>>> >> v3 log:
>> >>>> >> 2016-07-20 22:09:22.912969
>> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling
policies =
>> >>>> >> congress.policies_list(self.request) *****
>> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path=
>> >>>> >> /dashboard/admin/policies/
>> >>>> >> 2016-07-20 22:09:31.908122 *****
congress.policies_list(request)
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client =
>> >>>> >> congressclient(request)*****
>> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient
>> >>>> >> BEGIN*****
>> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url=
>> >>>> >> http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.909217 ***** calling
get_keystone_session
>> >>>> >> *****
>> >>>> >> 2016-07-20 22:09:31.909356 *****
congress.get_keystone_session
>> >>>> >> BEGIN
>> >>>> >> auth_url *****http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity
>> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:09:31.910042
auth_url=http://192.168.56.103/identity
>> >>>> >> 2016-07-20 22:09:31.910175
token=d46339f2d0b5455db54909d6ed95a9cc
>> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo
>> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default
>> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default
>> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state=
>> >>>> >> 2016-07-20 22:09:31.910992 None
>> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3
plugin to
>> >>>> >> authenticate*****
>> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with
auth *****
>> >>>> >> 2016-07-20 22:09:31.922260 *****
congress.get_keystone_session
>> >>>> >> END*****
>> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne
>> >>>> >> 2016-07-20 22:09:31.922676 ***** calling
>> >>>> >> congress_client.Client(**kwargs)
>> >>>> >> 2016-07-20 22:09:31.922822 *****
congress.congressclient END*****
>> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list =
>> >>>> >> client.list_policy()*****
>> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list:
Cannot
>> >>>> >> authorize API client.
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >>
__________________________________________________________________________
>> >>>> >> OpenStack Development Mailing List (not for usage
questions)
>> >>>> >> Unsubscribe:
>> >>>> >>
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> >>>> >>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>> >
__________________________________________________________________________
>> >>>> > OpenStack Development Mailing List (not for usage questions)
>> >>>> > Unsubscribe:
>> >>>> >
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> >>>> >
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>> >
>> >>>>
>> >>>>
>> >>>>
>> >>>>
__________________________________________________________________________
>> >>>> OpenStack Development Mailing List (not for usage questions)
>> >>>> Unsubscribe:
>> >>>>
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> >>>>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>>
>> >>>
>> >>>
__________________________________________________________________________
>> >>> OpenStack Development Mailing List (not for usage questions)
>> >>> Unsubscribe:
>> >>>
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> >>>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>>
>> >>
>> >>
>> >>
>> >>
__________________________________________________________________________
>> >> OpenStack Development Mailing List (not for usage questions)
>> >> Unsubscribe:
>> >>
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> >>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>>
>>
__________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
[email protected]?subject:unsubscribe
<http://[email protected]?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
