Eric - I added some info to the bug report https://bugs.launchpad.net/congress/+bug/1602837
My version of DevStack uses keystone v2 for everything. However, I found this line in the Horizon log: "The Keystone URL (either in Horizon settings or in service catalog) points to a v2.0 Keystone endpoint, but v3 is specified as the API version to use by Horizon. Using v3 endpoint for authentication." So when I hard-coded the auth_url to be v2.0, the pages loaded data as expected. I used your "replace" and will upload a patch asap. Thanks! aimee On Thu, Sep 15, 2016 at 10:05 PM, Eric K <[email protected]> wrote: > Anusha and Aimee, > > Circling back on this issue: it seems that you are seeing different things > with regards to horizon authentication using keystone v2. I think we can > make good progress if we can clarify where we stand. > > Anusha said setting the auth_url explicitly to v2 works. Aimee said it > didn¹t. > > So just to clarify: > > 1. Anusha did you mean set this line > https://github.com/openstack/congress/blob/master/congress_dashboard/api/co > ngress.py#L75 > To: > `auth_url = 'http://<host-ip>:5000/v2.0¹` ? > > 2. Aimee, is that what you tried? > > 3. Do you still get different results? > > From Anusha¹s commit message in this patch > (https://review.openstack.org/#/c/305063/), the current code should fail > because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75] > grabs the .../v3 URL (devstack default), yet `auth = > keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So > could we have a workaround simply by doing something like `auth_url = > auth_url.replace('v3', 'v2.0¹)`? (*) > > Thanks again for all the investigative work! > > Eric > > (*) Another potential issue is ports: > https://ask.openstack.org/en/question/67846/difference-between-keystone-por > t-5000-and-35357/ > > On 7/22/16, 9:06 AM, "Aimee Ukasick" <[email protected]> wrote: > >>All - I made the change to the auth_url that Anusha suggested. >>Same problem as before " Cannot authorize API client" >>2016-07-22 14:13:50.835861 ***** calling policies_list = >>client.list_policy()***** >>2016-07-22 14:13:50.836062 Unable to get policies list: Cannot >>authorize API client. >> >>I used the token from the log output to query the Congress API with >>the keystone v3 token - no issues. >>curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H >>"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies" >> >>So I really think the problem is that the python-congressclient >>doesn't support identity v3. >>I thought it did, but then I came across this: >>"support keystone v3 api and session based authentication " >>https://bugs.launchpad.net/python-congressclient/+bug/1564361 >>This is currently assigned to Anusha. >>I'd like to start work on it since I am becoming familiar with keystone >>v3. >> >>Thoughts? >> >>aimee >> >> >> >> >>On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick >><[email protected]> wrote: >>> Thanks Anusha! I will retest this today. I guess I need to learn more >>> about Horizon as well - thanks for pointing me in the right direction. >>> >>> aimee >>> >>> >>> >>> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni >>><[email protected]> wrote: >>>> Hi Aimee, >>>> >>>> I think devstack by default configured horizon to use v3 . >>>> For V2 authentication, from the logs , auth_url doesn't seem to be set >>>> explicitly to v2 auth_url . >>>> >>>> I have always set explicit v2 auth which worked fine. >>>> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2 >>>>authentication >>>> >>>> I have raised a patch, to take the auth_url from horizon settings >>>>instead of >>>> from request. >>>> https://review.openstack.org/#/c/345828/1 >>>> >>>> Please set explict v2 auth_url as mentioned above in >>>>OPENSTACK_KESYTONE_URL >>>> in <horizon>/openstack_dashboard/local/local_settings.py and restart >>>>apache2 >>>> server . Then v2 authentication should go through fine. >>>> >>>> For v3 , need to add relevant code for v3 authentication in >>>>contrib/horizon >>>> as presently it is hardcoded to use only v2. but yes, the code from >>>>plugin >>>> model patch is still a WIP , so doesn't work for v3 authentication I >>>>guess >>>> I'll have a look at it and let you know . >>>> >>>> >>>> Best Regards, >>>> Anusha >>>> >>>> On 21 July 2016 at 21:56, Tim Hinrichs <[email protected]> wrote: >>>>> >>>>> So clearly an authentication problem then. >>>>> >>>>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked with >>>>> Keystone authentication most recently, so she's your best bet.) >>>>> >>>>> Tim >>>>> >>>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick >>>>> <[email protected]> wrote: >>>>>> >>>>>> The Policy/Data Sources web page throws the same errors. I am >>>>>> planning to recheck direct API calls using v3 auth today or tomorrow. >>>>>> >>>>>> aimee >>>>>> >>>>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <[email protected]> wrote: >>>>>> > Hi Aimee, >>>>>> > >>>>>> > Do the other APIs work? That is, is it a general problem >>>>>> > authenticating, or >>>>>> > is the problem limited to list_policies? >>>>>> > >>>>>> > Tim >>>>>> > >>>>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick >>>>>> > <[email protected]> >>>>>> > wrote: >>>>>> >> >>>>>> >> Hi all, >>>>>> >> >>>>>> >> I've been working on Policy UI (Horizon): Unable to get policies >>>>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837) >>>>>> >> for the past 3 days. Anusha is correct - it's an authentication >>>>>> >> problem, but I have not been able to fix it. >>>>>> >> >>>>>> >> I grabbed the relevant code in congress.py from Anusha's horizon >>>>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) >>>>>>and >>>>>> >> added try/catch blocks, logging statements (with error because I >>>>>> >> haven't figured out how to set the horizon log level). >>>>>> >> >>>>>> >> >>>>>> >> I am testing the code on devstack, which I cloned on 19 July 2016. >>>>>> >> >>>>>> >> With both v2 and v3 auth, congressclient.v1.client is created. >>>>>> >> The failure happens trying to call >>>>>> >> congressclient.v1.client.Client.list_policies(). >>>>>> >> When using v2 auth, the error message is "Unable to get policies >>>>>>list: >>>>>> >> The resource could not be found" >>>>>> >> When using v3 auth, the error message is "Cannot authorize API >>>>>>client" >>>>>> >> >>>>>> >> I am assuming that congressclient.v1.client.Client is >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>https://github.com/openstack/python-congressclient/blob/master/congres >>>>>>sclient/v1/client.py >>>>>> >> and that client.list_policy() calls list_policy()in the >>>>>> >> python-congressclient >>>>>> >> which in turn calls the Congress API. Is this correct? >>>>>> >> >>>>>> >> Any ideas why with v3 auth, the python-congressclient cannot >>>>>>authorize >>>>>> >> the >>>>>> >> call to the API? >>>>>> >> >>>>>> >> I looked at other horizon plugin models (ceilometer, neutron, >>>>>>nova, >>>>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they >>>>>> >> created >>>>>> >> the client. While the code to create a client is not identical, >>>>>> >> it is vastly different from the code to create a client >>>>>> >> in contrib/horizon/congress.py. >>>>>> >> >>>>>> >> Thanks in advance for any pointers. >>>>>> >> >>>>>> >> aimee >>>>>> >> >>>>>> >> Aimee Ukasick (aimeeu) >>>>>> >> >>>>>> >> v2 log: >>>>>> >> 2016-07-20 22:13:56.501455 >>>>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies = >>>>>> >> congress.policies_list(self.request) ***** >>>>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path= >>>>>> >> /dashboard/admin/policies/ >>>>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request) >>>>>> >> BEGIN***** >>>>>> >> 2016-07-20 22:14:30.238376 ***** calling client = >>>>>> >> congressclient(request)***** >>>>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient >>>>>>BEGIN***** >>>>>> >> 2016-07-20 22:14:30.238454 ***** auth_url= >>>>>> >> http://192.168.56.103/identity >>>>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session >>>>>>***** >>>>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session >>>>>>BEGIN >>>>>> >> auth_url *****http://192.168.56.103/identity >>>>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity >>>>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to >>>>>>authenticate***** >>>>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state= >>>>>> >> 2016-07-20 22:14:30.238656 None >>>>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to >>>>>> >> authenticate***** >>>>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth ***** >>>>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session >>>>>> >> END***** >>>>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne >>>>>> >> 2016-07-20 22:14:30.244491 ***** calling >>>>>> >> congress_client.Client(**kwargs) >>>>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END***** >>>>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list = >>>>>> >> client.list_policy()***** >>>>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making >>>>>> >> authentication request to http://192.168.56.103/identity/tokens >>>>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request >>>>>>returned >>>>>> >> failure status: 404 >>>>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The >>>>>>resource >>>>>> >> could not be found. >>>>>> >> >>>>>> >> >>>>>> >> v3 log: >>>>>> >> 2016-07-20 22:09:22.912969 >>>>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies = >>>>>> >> congress.policies_list(self.request) ***** >>>>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path= >>>>>> >> /dashboard/admin/policies/ >>>>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request) >>>>>> >> BEGIN***** >>>>>> >> 2016-07-20 22:09:31.908250 ***** calling client = >>>>>> >> congressclient(request)***** >>>>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient >>>>>>BEGIN***** >>>>>> >> 2016-07-20 22:09:31.909034 ***** auth_url= >>>>>> >> http://192.168.56.103/identity >>>>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session >>>>>>***** >>>>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session >>>>>>BEGIN >>>>>> >> auth_url *****http://192.168.56.103/identity >>>>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity >>>>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to >>>>>>authenticate***** >>>>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity >>>>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc >>>>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo >>>>>> >> 2016-07-20 22:09:31.910426 domain_name=Default >>>>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default >>>>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state= >>>>>> >> 2016-07-20 22:09:31.910992 None >>>>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to >>>>>> >> authenticate***** >>>>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth ***** >>>>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session >>>>>> >> END***** >>>>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne >>>>>> >> 2016-07-20 22:09:31.922676 ***** calling >>>>>> >> congress_client.Client(**kwargs) >>>>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END***** >>>>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list = >>>>>> >> client.list_policy()***** >>>>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot >>>>>> >> authorize API client. >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>______________________________________________________________________ >>>>>>____ >>>>>> >> OpenStack Development Mailing List (not for usage questions) >>>>>> >> Unsubscribe: >>>>>> >> [email protected]?subject:unsubscribe >>>>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>______________________________________________________________________ >>>>>>____ >>>>>> > OpenStack Development Mailing List (not for usage questions) >>>>>> > Unsubscribe: >>>>>> > [email protected]?subject:unsubscribe >>>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>>> > >>>>>> >>>>>> >>>>>> >>>>>>______________________________________________________________________ >>>>>>____ >>>>>> OpenStack Development Mailing List (not for usage questions) >>>>>> Unsubscribe: >>>>>> [email protected]?subject:unsubscribe >>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> >>>>> >>>>> >>>>>_______________________________________________________________________ >>>>>___ >>>>> OpenStack Development Mailing List (not for usage questions) >>>>> Unsubscribe: >>>>>[email protected]?subject:unsubscribe >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> >>>> >>>> >>>> >>>>________________________________________________________________________ >>>>__ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>>[email protected]?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >> >>__________________________________________________________________________ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: [email protected]?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
