Anusha and Aimee, Circling back on this issue: it seems that you are seeing different things with regards to horizon authentication using keystone v2. I think we can make good progress if we can clarify where we stand.
Anusha said setting the auth_url explicitly to v2 works. Aimee said it didn¹t. So just to clarify: 1. Anusha did you mean set this line https://github.com/openstack/congress/blob/master/congress_dashboard/api/co ngress.py#L75 To: `auth_url = 'http://<host-ip>:5000/v2.0¹` ? 2. Aimee, is that what you tried? 3. Do you still get different results? >From Anusha¹s commit message in this patch (https://review.openstack.org/#/c/305063/), the current code should fail because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75] grabs the .../v3 URL (devstack default), yet `auth = keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So could we have a workaround simply by doing something like `auth_url = auth_url.replace('v3', 'v2.0¹)`? (*) Thanks again for all the investigative work! Eric (*) Another potential issue is ports: https://ask.openstack.org/en/question/67846/difference-between-keystone-por t-5000-and-35357/ On 7/22/16, 9:06 AM, "Aimee Ukasick" <aimeeu.opensou...@gmail.com> wrote: >All - I made the change to the auth_url that Anusha suggested. >Same problem as before " Cannot authorize API client" >2016-07-22 14:13:50.835861 ***** calling policies_list = >client.list_policy()***** >2016-07-22 14:13:50.836062 Unable to get policies list: Cannot >authorize API client. > >I used the token from the log output to query the Congress API with >the keystone v3 token - no issues. >curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H >"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies" > >So I really think the problem is that the python-congressclient >doesn't support identity v3. >I thought it did, but then I came across this: >"support keystone v3 api and session based authentication " >https://bugs.launchpad.net/python-congressclient/+bug/1564361 >This is currently assigned to Anusha. >I'd like to start work on it since I am becoming familiar with keystone >v3. > >Thoughts? > >aimee > > > > >On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick ><aimeeu.opensou...@gmail.com> wrote: >> Thanks Anusha! I will retest this today. I guess I need to learn more >> about Horizon as well - thanks for pointing me in the right direction. >> >> aimee >> >> >> >> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni >><anusha.ii...@gmail.com> wrote: >>> Hi Aimee, >>> >>> I think devstack by default configured horizon to use v3 . >>> For V2 authentication, from the logs , auth_url doesn't seem to be set >>> explicitly to v2 auth_url . >>> >>> I have always set explicit v2 auth which worked fine. >>> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2 >>>authentication >>> >>> I have raised a patch, to take the auth_url from horizon settings >>>instead of >>> from request. >>> https://review.openstack.org/#/c/345828/1 >>> >>> Please set explict v2 auth_url as mentioned above in >>>OPENSTACK_KESYTONE_URL >>> in <horizon>/openstack_dashboard/local/local_settings.py and restart >>>apache2 >>> server . Then v2 authentication should go through fine. >>> >>> For v3 , need to add relevant code for v3 authentication in >>>contrib/horizon >>> as presently it is hardcoded to use only v2. but yes, the code from >>>plugin >>> model patch is still a WIP , so doesn't work for v3 authentication I >>>guess >>> I'll have a look at it and let you know . >>> >>> >>> Best Regards, >>> Anusha >>> >>> On 21 July 2016 at 21:56, Tim Hinrichs <t...@styra.com> wrote: >>>> >>>> So clearly an authentication problem then. >>>> >>>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked with >>>> Keystone authentication most recently, so she's your best bet.) >>>> >>>> Tim >>>> >>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick >>>> <aimeeu.opensou...@gmail.com> wrote: >>>>> >>>>> The Policy/Data Sources web page throws the same errors. I am >>>>> planning to recheck direct API calls using v3 auth today or tomorrow. >>>>> >>>>> aimee >>>>> >>>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <t...@styra.com> wrote: >>>>> > Hi Aimee, >>>>> > >>>>> > Do the other APIs work? That is, is it a general problem >>>>> > authenticating, or >>>>> > is the problem limited to list_policies? >>>>> > >>>>> > Tim >>>>> > >>>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick >>>>> > <aimeeu.opensou...@gmail.com> >>>>> > wrote: >>>>> >> >>>>> >> Hi all, >>>>> >> >>>>> >> I've been working on Policy UI (Horizon): Unable to get policies >>>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837) >>>>> >> for the past 3 days. Anusha is correct - it's an authentication >>>>> >> problem, but I have not been able to fix it. >>>>> >> >>>>> >> I grabbed the relevant code in congress.py from Anusha's horizon >>>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) >>>>>and >>>>> >> added try/catch blocks, logging statements (with error because I >>>>> >> haven't figured out how to set the horizon log level). >>>>> >> >>>>> >> >>>>> >> I am testing the code on devstack, which I cloned on 19 July 2016. >>>>> >> >>>>> >> With both v2 and v3 auth, congressclient.v1.client is created. >>>>> >> The failure happens trying to call >>>>> >> congressclient.v1.client.Client.list_policies(). >>>>> >> When using v2 auth, the error message is "Unable to get policies >>>>>list: >>>>> >> The resource could not be found" >>>>> >> When using v3 auth, the error message is "Cannot authorize API >>>>>client" >>>>> >> >>>>> >> I am assuming that congressclient.v1.client.Client is >>>>> >> >>>>> >> >>>>> >> >>>>>https://github.com/openstack/python-congressclient/blob/master/congres >>>>>sclient/v1/client.py >>>>> >> and that client.list_policy() calls list_policy()in the >>>>> >> python-congressclient >>>>> >> which in turn calls the Congress API. Is this correct? >>>>> >> >>>>> >> Any ideas why with v3 auth, the python-congressclient cannot >>>>>authorize >>>>> >> the >>>>> >> call to the API? >>>>> >> >>>>> >> I looked at other horizon plugin models (ceilometer, neutron, >>>>>nova, >>>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they >>>>> >> created >>>>> >> the client. While the code to create a client is not identical, >>>>> >> it is vastly different from the code to create a client >>>>> >> in contrib/horizon/congress.py. >>>>> >> >>>>> >> Thanks in advance for any pointers. >>>>> >> >>>>> >> aimee >>>>> >> >>>>> >> Aimee Ukasick (aimeeu) >>>>> >> >>>>> >> v2 log: >>>>> >> 2016-07-20 22:13:56.501455 >>>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies = >>>>> >> congress.policies_list(self.request) ***** >>>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path= >>>>> >> /dashboard/admin/policies/ >>>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request) >>>>> >> BEGIN***** >>>>> >> 2016-07-20 22:14:30.238376 ***** calling client = >>>>> >> congressclient(request)***** >>>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient >>>>>BEGIN***** >>>>> >> 2016-07-20 22:14:30.238454 ***** auth_url= >>>>> >> http://192.168.56.103/identity >>>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session >>>>>***** >>>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session >>>>>BEGIN >>>>> >> auth_url *****http://192.168.56.103/identity >>>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity >>>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to >>>>>authenticate***** >>>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state= >>>>> >> 2016-07-20 22:14:30.238656 None >>>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to >>>>> >> authenticate***** >>>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth ***** >>>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session >>>>> >> END***** >>>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne >>>>> >> 2016-07-20 22:14:30.244491 ***** calling >>>>> >> congress_client.Client(**kwargs) >>>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END***** >>>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list = >>>>> >> client.list_policy()***** >>>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making >>>>> >> authentication request to http://192.168.56.103/identity/tokens >>>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request >>>>>returned >>>>> >> failure status: 404 >>>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The >>>>>resource >>>>> >> could not be found. >>>>> >> >>>>> >> >>>>> >> v3 log: >>>>> >> 2016-07-20 22:09:22.912969 >>>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies = >>>>> >> congress.policies_list(self.request) ***** >>>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path= >>>>> >> /dashboard/admin/policies/ >>>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request) >>>>> >> BEGIN***** >>>>> >> 2016-07-20 22:09:31.908250 ***** calling client = >>>>> >> congressclient(request)***** >>>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient >>>>>BEGIN***** >>>>> >> 2016-07-20 22:09:31.909034 ***** auth_url= >>>>> >> http://192.168.56.103/identity >>>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session >>>>>***** >>>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session >>>>>BEGIN >>>>> >> auth_url *****http://192.168.56.103/identity >>>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity >>>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to >>>>>authenticate***** >>>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity >>>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc >>>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo >>>>> >> 2016-07-20 22:09:31.910426 domain_name=Default >>>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default >>>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state= >>>>> >> 2016-07-20 22:09:31.910992 None >>>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to >>>>> >> authenticate***** >>>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth ***** >>>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session >>>>> >> END***** >>>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne >>>>> >> 2016-07-20 22:09:31.922676 ***** calling >>>>> >> congress_client.Client(**kwargs) >>>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END***** >>>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list = >>>>> >> client.list_policy()***** >>>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot >>>>> >> authorize API client. >>>>> >> >>>>> >> >>>>> >> >>>>>______________________________________________________________________ >>>>>____ >>>>> >> OpenStack Development Mailing List (not for usage questions) >>>>> >> Unsubscribe: >>>>> >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> > >>>>> > >>>>> > >>>>> > >>>>>______________________________________________________________________ >>>>>____ >>>>> > OpenStack Development Mailing List (not for usage questions) >>>>> > Unsubscribe: >>>>> > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> > >>>>> >>>>> >>>>> >>>>>______________________________________________________________________ >>>>>____ >>>>> OpenStack Development Mailing List (not for usage questions) >>>>> Unsubscribe: >>>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>>> >>>>_______________________________________________________________________ >>>>___ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>> >>> >>>________________________________________________________________________ >>>__ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev