Re: [openstack-dev] [ironic][bifrost] Unable to Enroll Inventory

[Aimee Ukasick]

Thanks Mark for pointing me in the right direction! It turned out to
be a permissions issue with the local Ansible installation.

I started over with a new user (stack, passwordless sudo) and decided
to use the bifrost's env-setup script, which I was not able to run
unless prefaced with sudo.


stack@ubuntu-jumphost:~/bifrost$ sudo bash ./scripts/env-setup.sh

stack@ubuntu-jumphost:~/bifrost$ source env-vars

stack@ubuntu-jumphost:~/bifrost$ echo $PATH
/home/stack/.local/bin:/home/stack/bin:/home/stack/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

stack@ubuntu-jumphost:~/bifrost/playbooks$ which ansible
/home/stack/.local/bin/ansible
stack@ubuntu-jumphost:~/bifrost/playbooks$ ansible-playbook - -i
inventory/target install.yaml -e staging_drivers_include=true
Traceback (most recent call last):
  File "/home/stack/.local/bin/ansible-playbook", line 44, in 
import ansible.constants as C
ImportError: No module named ansible.constants

stack@ubuntu-jumphost:~/bifrost/playbooks$ ansible --version
Traceback (most recent call last):
  File "/home/stack/.local/bin/ansible", line 44, in 
import ansible.constants as C
ImportError: No module named ansible.constants

The ~/.local/bin/ansible folder was owned by root:root as was
~/.ansible. Once I changed the ownership to stack:stack, ansible
worked as expected. I was able to run the ansible-playbook command
without prefacing it with sudo. So I had a successful installation. Do
you know why the bifrost env-setup.sh installed ansible with root
ownership in my ~/.local directory? Is that the default Ansible
behavior?  Is the expectation that I switch to root to install/run
bifrost?


I was able to enroll my servers without a hitch.

Friday I plan to deploy - hopefully I've identified and fixed all the
kinks on my system.


Thanks again for your help!

aimee
irc:aimeeu



On Thu, Aug 3, 2017 at 3:27 AM, Mark Goddard  wrote:
> Hi Aimee,
>
> My guess is that your error is due to your use of sudo when running
> ansible-playbook.

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [ironic][bifrost] Unable to Enroll Inventory

[Aimee Ukasick]

Hi Bifrost Gurus!  I'm following the Brifost docs and am stuck trying
to enroll inventory.
I have only a passing familiarity with ansible,ironic, and python,
which puts me firmly in the "complete ignoramous" category.

OS: Ubuntu 16.04.2 LTS desktop (fresh install)
Sudo User: bifrost
Ansibile: 2.3.1.0
Python: 2.7.12
pip 9.0.1
bifrost: cloned from master on 2 Aug 2017

1. modified the files in bifrost/playbooks/inventory/group_vars
--  network_interface, mysql_password, dnsmasq_router, and dnsmasq_dns_servers
2. install reqs:  sudo pip install -r requirements.txt
3. run installation playbook: sudo ansible-playbook -K - -i
inventory/target install.yaml
4. source env-vars
5. ironic node-list to check ironic installation
6. created baremetal.yml and baremetal.json based on the examples
7. export BIFROST_INVENTORY_SOURCE=/home/bifrost/osgit/baremetal.json
8. sudo ansible-playbook -K - -i inventory/bifrost_inventory.py
enroll-dynamic.yaml

#8 threw this error:
ERROR! Attempted to execute "inventory/bifrost_inventory.py" as
inventory script:
Inventory script (inventory/bifrost_inventory.py) had an execution error:

No error was printed out and I couldn't find any logs, so I hopped onto IRC.
TheJulia suggested passing the environment variable and directly
executing the script to troubleshoot.

So after looking at the code, I executed bifrost/inventory.py and
saved the output in baremetal2.json.
Then export BIFROST_INVENTORY_SOURCE=/home/bifrost/osgit/baremetal2.json
Then sudo ansible-playbook -K - -i inventory/bifrost_inventory.py
enroll-dynamic.yaml
Same error as above.

Then:
sudo ansible-playbook -K - -i /home/bifrost/osgit/baremetal2.json
enroll-dynamic.yaml
which threw:
ERROR! Attempted to read "/home/bifrost/osgit/baremetal2.json" as YAML:
list indices must be integers, not unicode
Attempted to read "/home/bifrost/osgit/baremetal2.json" as ini file:
 /home/bifrost/osgit/baremetal2.json:2: Expected key=value host
variable assignment, got: {

Then:
sudo ansible-playbook -K - -i /home/bifrost/osgit/baremetal.yml
enroll-dynamic.yaml
which provided this output:
 [WARNING]: provided hosts list is empty, only localhost is available
Loading callback plugin default of type stdout, v2.0 from
/usr/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc
PLAYBOOK: enroll-dynamic.yaml

1 plays in enroll-dynamic.yaml
PLAY [Enroll hardware from inventory into Ironic]

skipping: no hosts matched
PLAY RECAP 



The issues I'm having must be user error, so I'd appreciate extra sets
of eyes and suggestions.
YAML, JSON, and terminal output: http://paste.openstack.org/show/617344/

I'm prototyping  using a NUC and 2 Super Micro servers with the goal of using
bifrost and ansible to manage the server lab that somehow landed in my lap.

Thanks in advance for any help you can give me!

Aimee Ukasick
IRC: aimeeu

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [refstack] Getting on the Pike PTG Agenda?

[Aimee Ukasick]

Hi Refstack team - a team from OPNFV will be at the Pike PTG, and we
would like to meet with the RefStack team to discuss building a direct
link to RefStack and other upstream verification projects. We would like
to present the OPNFV Dovetail project and our goals for leveraging
upstream test frameworks, as well as supplementing them with
OPNFV-specific tests (some of which will work their way upstream over time).

I don't see a Pike PTG etherpad for RefStack on the PTG/Pike/Etherpads
page, so how do I book time on the RefStack agenda?

Thanks in advance!
-- 

Aimee Ukasick
AT Open Source

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress][olso][oslo.messaging] Dynamically Determine Rabbit Transport URL?

[Aimee Ukasick]

Thanks, Clint, for your quick response. Questions inline.
On 02/06/2017 01:32 PM, Clint Byrum wrote:
> Excerpts from Aimee Ukasick's message of 2017-02-06 12:57:28 -0600:
>> Hi everyone - from the Congress standalone installation guide
>> (http://docs.openstack.org/developer/congress/README.html#installing-congress):
>>
>> ---
>> To use RabbitMQ with Congress, set the transport_url in the “From
>> oslo.messaging” section according to your setup:
>> transport_url = rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672
>> ---
>>
>> Is there a CLI or API call to determine the Rabbit userID, password,
>> host, and port from a running OpenStack installation? My colleague and I
>> are working on standalone Congress installation scripts (bash), and we
>> are trying to figure how to dynamically determine the RABBIT_USERID,
>> RABBIT_PASSWORD, RABBIT_HOST, and port.  We really don't want to resort
>> to pulling the transport URL out of another service's conf file
>> (nova.conf, heat.conf, keystone.conf, etc).
>>
>> There is a rabbitmqctl
>> https://www.rabbitmq.com/man/rabbitmqctl.1.man.html  but that doesn't
>> have the commands for finding userID, password, host, and port.

> 
> Those conf files get it from the same place you should: Config
> management. You need to inject it into your bash however you inject
> details of the environment into anything else.
> 

I'm relatively new to OpenStack, so please pardon my ignorance. What do
you mean by config management? We don't have any details about how
OpenStack has been installed - it may have been installed by an OPNFV
Installer, an OpenStack installer, or some other way. We are looking for
an installer-agnostic means of determining: 1) where Rabbit is installed
and running as a service (rabbit_host); and 2) how to obtain the rabbit
UserID and password so we can configure the transport_url.

Also, my colleague and I can't assume that Congress or Tacker or another
OpenStack service is going to be installed on the Controller node. What
if we are installing the OpenStack service in a Docker container that's
not on the Controller? We aren't OpenStack experts, so any guidance is
greatly appreciated.

Thanks.




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Congress][olso][oslo.messaging] Dynamically Determine Rabbit Transport URL?

[Aimee Ukasick]

Hi everyone - from the Congress standalone installation guide
(http://docs.openstack.org/developer/congress/README.html#installing-congress):

---
To use RabbitMQ with Congress, set the transport_url in the “From
oslo.messaging” section according to your setup:
transport_url = rabbit://$RABBIT_USERID:$RABBIT_PASSWORD@$RABBIT_HOST:5672
---

Is there a CLI or API call to determine the Rabbit userID, password,
host, and port from a running OpenStack installation? My colleague and I
are working on standalone Congress installation scripts (bash), and we
are trying to figure how to dynamically determine the RABBIT_USERID,
RABBIT_PASSWORD, RABBIT_HOST, and port.  We really don't want to resort
to pulling the transport URL out of another service's conf file
(nova.conf, heat.conf, keystone.conf, etc).

There is a rabbitmqctl
https://www.rabbitmq.com/man/rabbitmqctl.1.man.html  but that doesn't
have the commands for finding userID, password, host, and port.

Any ideas or other places I should look/ask for help is greatly appreciated.

Thanks!


Aimee Ukasick
AT Open Source

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Congress] Installation/Deployment Docs

[Aimee Ukasick]

Hi all. While looking at the installation docs in preparation for
scripting and testing Congress installation
(https://bugs.launchpad.net/congress/+bug/1651928), I noticed there are
installation instructions in two places:  1) For Users: Congress
Introduction and Installation; and 2) For Operators: Deployment. The
"For Users" section details Devstack as well as Standalone installation.

I would like to rearrange the content: 1) move README.rst/4.1
Devstack-install and 4.3 Debugging unit tests to to the For
Developers/Contributing section; 2) move README.rst/4.2 Standalone
install and 4.4 Upgrade to the For Operators/Deployment section. I think
this  would make it easier for end users to create an installation
script or validate an existing script.

Any objections or thoughts?

Thanks.

-- 

Aimee Ukasick, AT Open Source



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress] Congress Dashboard and Containers

[Aimee Ukasick]

Thanks Anusha!

I agree that moving the congress_dashboard code to its own repo is a
good idea.

As a workaround, it was suggested to me that I could clone the congress
repo on the same server as horizon, copy the 3 files to the horizon
directory, and then delete the congress code that we don't need (ie,
everything but congress_dashboard). I don't really like that suggestion.
As many companies are moving towards containerized installations, I
think Anusha's suggestion is the best solution.

Please let me know how I can help.


Aimee Ukasick, AT


On 12/08/2016 10:41 PM, Anusha Ramineni wrote:
> Hi Tim, Aimee,
>
> Yes, ideally only congress_dashboard is required on the same server as
> horizon for horizon to discover the plugin, but right now
> congress_dashboard is also part of congress repo, so congress needs to
> be installed on the same server.
>
> I'm thinking for a while to move the repo to separate project, maybe
> its high time we move the congress_dashboard repo to separate project
> like other projects do? wdyt?
> http://docs.openstack.org/developer/horizon/plugin_registry.html
>
>
> Best Regards,
> Anusha
>
> On 9 December 2016 at 03:24, Tim Hinrichs <t...@styra.com
> <mailto:t...@styra.com>> wrote:
>
> I wouldn't expect Congress needs to be on the same server as
> Horizon.  Anusha, do you know for sure?
>
> Tim
>
>
> On Thu, Dec 8, 2016 at 1:20 PM Aimee Ukasick
> <aimeeu.opensou...@gmail.com <mailto:aimeeu.opensou...@gmail.com>>
> wrote:
>
> All - we are looking into deploying Congress in its own container,
> separate from the container that OpenStack is in. I know which
> Congress
> dashboard files need to be copied to Horizon, and from what I
> can tell,
> it looks like Congress and Horizon must be running on the same
>     server
> for the Congress dashboard to work. Is this assumption correct?
>
>
> Thanks!
>
>
> Aimee Ukasick, AT
>
>
>
>
>
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> <http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Congress] Congress Dashboard and Containers

[Aimee Ukasick]

All - we are looking into deploying Congress in its own container,
separate from the container that OpenStack is in. I know which Congress
dashboard files need to be copied to Horizon, and from what I can tell,
it looks like Congress and Horizon must be running on the same server
for the Congress dashboard to work. Is this assumption correct?


Thanks!


Aimee Ukasick, AT





__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

Eric - I added some info to the bug report
https://bugs.launchpad.net/congress/+bug/1602837

My version of DevStack uses keystone v2 for everything. However, I
found this line in the Horizon log:

"The Keystone URL (either in Horizon settings or in service catalog)
points to a v2.0 Keystone endpoint,
but v3 is specified as the API version to use by Horizon. Using v3
endpoint for authentication."


So when I hard-coded the auth_url to be v2.0, the pages loaded data as
expected.
I used your "replace" and will upload a patch asap.

Thanks!

aimee




On Thu, Sep 15, 2016 at 10:05 PM, Eric K <ekcs.openst...@gmail.com> wrote:
> Anusha and Aimee,
>
> Circling back on this issue: it seems that you are seeing different things
> with regards to horizon authentication using keystone v2. I think we can
> make good progress if we can clarify where we stand.
>
> Anusha said setting the auth_url explicitly to v2 works. Aimee said it
> didn¹t.
>
> So just to clarify:
>
> 1. Anusha did you mean set this line
> https://github.com/openstack/congress/blob/master/congress_dashboard/api/co
> ngress.py#L75
> To:
> `auth_url = 'http://:5000/v2.0¹` ?
>
> 2. Aimee, is that what you tried?
>
> 3. Do you still get different results?
>
> From Anusha¹s commit message in this patch
> (https://review.openstack.org/#/c/305063/), the current code should fail
> because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75]
> grabs the .../v3 URL (devstack default), yet `auth =
> keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So
> could we have a workaround simply by doing something like `auth_url =
> auth_url.replace('v3', 'v2.0¹)`? (*)
>
> Thanks again for all the investigative work!
>
> Eric
>
> (*) Another potential issue is ports:
> https://ask.openstack.org/en/question/67846/difference-between-keystone-por
> t-5000-and-35357/
>
> On 7/22/16, 9:06 AM, "Aimee Ukasick" <aimeeu.opensou...@gmail.com> wrote:
>
>>All - I made the change to the auth_url that  Anusha suggested.
>>Same problem as before " Cannot authorize API client"
>>2016-07-22 14:13:50.835861 * calling policies_list =
>>client.list_policy()*
>>2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>>authorize API client.
>>
>>I used the token from the log output to query the Congress API with
>>the keystone v3 token - no issues.
>>curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>>"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>>
>>So I really think the problem is that the python-congressclient
>>doesn't support identity v3.
>>I thought it did, but then I came across this:
>>"support keystone v3 api and session based authentication "
>>https://bugs.launchpad.net/python-congressclient/+bug/1564361
>>This is currently assigned to Anusha.
>>I'd like to start work on it since I am becoming familiar with keystone
>>v3.
>>
>>Thoughts?
>>
>>aimee
>>
>>
>>
>>
>>On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>><aimeeu.opensou...@gmail.com> wrote:
>>> Thanks Anusha! I will retest this today. I guess I need to learn more
>>> about Horizon as well - thanks for pointing me in the right direction.
>>>
>>> aimee
>>>
>>>
>>>
>>> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>>><anusha.ii...@gmail.com> wrote:
>>>> Hi Aimee,
>>>>
>>>> I think devstack by default configured horizon to use v3 .
>>>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>>>> explicitly to v2 auth_url .
>>>>
>>>> I have always set explicit v2 auth which worked fine.
>>>> For eg:- auth_url = 'http://:5000/v2.0' , for V2
>>>>authentication
>>>>
>>>> I have raised a patch, to take the auth_url from horizon settings
>>>>instead of
>>>> from request.
>>>> https://review.openstack.org/#/c/345828/1
>>>>
>>>> Please set explict v2 auth_url as mentioned above in
>>>>OPENSTACK_KESYTONE_URL
>>>> in /openstack_dashboard/local/local_settings.py and restart
>>>>apache2
>>>> server . Then v2 authentication should go through fine.
>>>>
>>>> For v3 , need to add relevant code for v3 authentication in
>>>>contrib/horizon
>>>> as presently it is hardcoded to use only v2. but yes, the code from
>>>>plugin
>>>> model patch is still a WIP , so d

Re: [openstack-dev] [Congress] Stack trace returned to end user bug

[Aimee Ukasick]

Continuing my investigation:

1) I used an "older" installation of Congress on OpenStack.
The oslo.messaging version is 4.6.2.dev9, whereas the version on my
brand new DevStack installation is 5.10.0.
I ran the same CLI policy commands and no traceback was returned.

2) With a new devstack installation and the latest Congress code,
confirmed that API and CLI calls to datasource
and schema do not return traceback when invalid IDs are passed.
"datasource" appears to be the only one of the three displaying
user-friendly error information as expected.

3) The error/not found handling bug seems to be across all the Policy
CLI and API calls.

I put more info and examples into the Launchpad bug entry:
https://bugs.launchpad.net/congress/+bug/1620868

(This is a bug where I would really love to be able to remotely debug
using PyCharm instead
of the pdb command line debugger.)

I don't know oslo.messaging or the Congress code base well enough to
know exactly why the Policy error
response is different from datasource and schema. I will continue to
dig through the code and hopefully
find a solution.

aimee

On Sun, Sep 11, 2016 at 2:30 PM, Tim Hinrichs <t...@styra.com> wrote:
> The Api node on Oslo-messaging sends a request to the policy node asking for
> say policy alpha. The policy node raises an exception, which Oslo returns to
> the API node. I'd imagine there is some way to have the Ali node extract the
> original exception or tell Oslo to return the only the original exception.
>
> Tim
> On Thu, Sep 8, 2016 at 2:04 PM Aimee Ukasick <aimeeu.opensou...@gmail.com>
> wrote:
>>
>> All --
>>
>> https://bugs.launchpad.net/congress/+bug/1620868
>>
>> I stepped through the code with the pdb. I can't find anything wrong
>> in the CongressException
>> code.
>>
>> The traceback is being added by oslo_messaging/rpc/server.py  in
>> _process_incoming
>> This call that is throwing an exception: res =
>> self.dispatcher.dispatch(message) but I haven't
>> determined why.
>>
>> https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/rpc/server.py#L134
>>
>> https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/rpc/server.py#L142
>>
>> console output here:  http://paste.openstack.org/show/569334/
>>
>>
>> I can't figure out why oslo.messaging is throwing an exception, I
>> assume I should go into the API and CLI cod and prevent the traceback
>> from being displayed.
>>
>> Thoughts? Suggestions? Epiphanies?
>>
>> aimee
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress] Default devstack deployment config

[Aimee Ukasick]

I completely agree with a single process deployment for DevStack. I
ran into issues last week with the multiple process configuration
while I trying to pinpoint an error.  I was using the pdb command line
debugger to step through Congress and Oslo Messaging, making a call
from the CLI. More than once the Congress API couldn't find the
Process Engine, which I'm sure was caused by uploading code and
stopping/starting services in the wrong order.  Deploying single
process Congress to DevStack would have saved me a lot of time.

aimee

On Tue, Sep 13, 2016 at 1:42 AM, Masahito MUROI
 wrote:
> Hi Congress folks,
>
> I'm in favor of single process for devstack default. It's easy to check
> logs and tests its feature.
>
> best regards,
> Masahito
>
> On 2016/09/13 11:00, Tim Hinrichs wrote:
>>
>> I'd agree with a single process version of Congress for devstack.  I'd
>> say we should even do that for Newton.
>>
>> Tim
>>
>> On Mon, Sep 12, 2016 at 6:34 PM Eric K > > wrote:
>>
>> Hi all,
>>
>> I want to get people’s thoughts regarding what we should set as
>> default devstack deployment config for Ocata.
>> At the moment, it is set to deploy three processes: API, policy, and
>> datasource-drivers.
>>
>> I see some potential arguments against that:
>>
>>  1. For most users installing via devstack, running Congress in
>> three processes bring little benefit, but rather a more complex
>> and less stable user experience. (Even if our code is perfect,
>> rabbitMQ will timeout every now and then)
>>  2. It’s not clear that we want to officially support separating the
>> API from the policy engine at this point. The supported
>> deployment options for HAHT do not need it.
>>
>> The main argument I see for deploying three processes by default is
>> that we may get more bug reports regarding the multi-process
>> deployment that way.
>>
>> Our main options for devstack default are:
>> 1. Single-process Congress (with in-mem transport).
>> 2. Two-process Congress API+Policy, datasource-drivers. (other
>> breakdowns between two processes are also possible)
>> 3. Three-process Congress.
>>
>> In the end, I think it’s a trade-off: potentially getting more bug
>> reports from users, at the expense of a more complex and less
>> polished user experience that could make a poor first impression.
>> What does everyone think?
>>
>> Personally, I slightly favor defaulting to single process Congress
>> because from a typical devstack user’s perspective, there is little
>> reason to run separate processes. In addition, because it is the
>> first time we’re releasing our complete architecture overhaul to the
>> wild, and it may be a good to default to the least complex
>> deployment for the first cycle of the new architecture.
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> --
> 室井 雅仁(Masahito MUROI)
> Software Innovation Center, NTT
> Tel: +81-422-59-4539
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Congress] Stack trace returned to end user bug

[Aimee Ukasick]

All --

https://bugs.launchpad.net/congress/+bug/1620868

I stepped through the code with the pdb. I can't find anything wrong
in the CongressException
code.

The traceback is being added by oslo_messaging/rpc/server.py  in
_process_incoming
This call that is throwing an exception: res =
self.dispatcher.dispatch(message) but I haven't
determined why.
https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/rpc/server.py#L134
https://github.com/openstack/oslo.messaging/blob/master/oslo_messaging/rpc/server.py#L142

console output here:  http://paste.openstack.org/show/569334/


I can't figure out why oslo.messaging is throwing an exception, I
assume I should go into the API and CLI cod and prevent the traceback
from being displayed.

Thoughts? Suggestions? Epiphanies?

aimee

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress] Enabling Remote Debugging

[Aimee Ukasick]

Thanks all for your feedback.
I'll work on the changes Tues and push to Gerrit as a WIP.
Eric - thanks for pointing out eventlet.monkey_patch(thread=False). I
read about
that last week and will include pertinent info in the patch.

aimee

On Fri, Sep 2, 2016 at 1:34 PM, Tim Hinrichs <t...@styra.com> wrote:
> I'd be concerned about merging a change to eventlet this late in the cycle.
> Threading problems are notoriously difficult to find during testing.  I'd
> recommend pushing the patch to Gerrit, so that we can all try it out when
> debugging, and we check it in after the Newton release.
>
> Eric, +1 to your general advice.
>
> I wouldn't expect a blueprint or even a bug for a code-change that only
> impacts developers, unless you want to socialize the idea before writing the
> code or the code is substantial.  If writing the code is small and easy, and
> no one will have much to say before seeing that code, I'd just push a patch
> to gerrit and see what people think.
>
> Tim
>
>
> On Fri, Sep 2, 2016 at 2:31 AM Masahito MUROI <muroi.masah...@lab.ntt.co.jp>
> wrote:
>>
>> Hi Aimee,
>>
>> Thanks let us know.
>>
>> I don't think it has a big impact to the current architecture and
>> user/dev. So it seems to be good to report it as a bug and target the
>> fix to N-release.
>>
>> best regards,
>> Masahito
>>
>> On 2016/09/02 10:10, Eric K wrote:
>> > Hi Aimee,
>> >
>> > Thanks for digging into it!
>> >
>> > Here¹s my understanding of our conventions (and I¹m happy to hear from
>> > others).
>> >
>> > a. If you think it¹s just a straightforward change with zero to minimal
>> > impact on architecture, users, and devs, then it makes sense to file a
>> > bug
>> > or just submit a patch.
>> > b. If you think it warrants deeper discussion in terms of design,
>> > impact,
>> > etc., then the process is to create a spec and associated blueprint. See
>> > this wiki for more details:
>> > https://wiki.openstack.org/wiki/Blueprints#Spec_.2B_Blueprints_lifecycle
>> >
>> > In case (b), the change should target the O-cycle because we¹re past
>> > feature-freeze in N.
>> > In case (a), it may make sense to get it in during the N-cycle if it has
>> > minimal impact and will help us in the N-cycle QA process.
>> >
>> > My guess is we¹re in case (a) because we can make sure changes have no
>> > impact without a special flag. But I¹d also like to understand a little
>> > better the impact of eventlet.monkey_patch(thread=False) as done in the
>> > Keystone patch
>> > (https://review.openstack.org/#/c/18404/3/bin/keystone-all).
>> >
>> > Enjoy the time holidays!
>> >
>> > On 9/1/16, 11:45 AM, "Aimee Ukasick" <aimeeu.opensou...@gmail.com>
>> > wrote:
>> >
>> >> HI all - I've been trying to configure remote debugging with PyCharm
>> >> and DevStack. It looks like some tiny modifications need to be made to
>> >> the Congress code (3-4 files) to support remote debugging via pydevd.
>> >>
>> >> As far as I can tell, support has been added to Keystone, Glance,
>> >> Nova, and Manilla (and I'm sure others).
>> >>
>> >> Keystone patch: https://review.openstack.org/#/c/18404/3
>> >> Glance patch: https://review.openstack.org/#/c/18748/5
>> >>
>> >> I think it would be very beneficial to support remote debugging, and
>> >> I'm willing to implement the changes needed. Should I create a bug for
>> >> this or draft a blueprint?
>> >>
>> >> I'm out of office 2-5 Sept for the US Labor Day holiday, so I could
>> >> start on this on 6 Sept.
>> >>
>> >> As always, I appreciate all your comments.
>> >>
>> >> Thanks.
>> >>
>> >> aimee
>> >>
>> >> irc:aimeeu
>> >>
>> >>
>> >> __
>> >> OpenStack Development Mailing List (not for usage questions)
>> >> Unsubscribe:
>> >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>> >
>> >
>> >
>> > __
>> > OpenStack Development Mail

[openstack-dev] [Congress] Enabling Remote Debugging

[Aimee Ukasick]

HI all - I've been trying to configure remote debugging with PyCharm
and DevStack. It looks like some tiny modifications need to be made to
the Congress code (3-4 files) to support remote debugging via pydevd.

As far as I can tell, support has been added to Keystone, Glance,
Nova, and Manilla (and I'm sure others).

Keystone patch: https://review.openstack.org/#/c/18404/3
Glance patch: https://review.openstack.org/#/c/18748/5

I think it would be very beneficial to support remote debugging, and
I'm willing to implement the changes needed. Should I create a bug for
this or draft a blueprint?

I'm out of office 2-5 Sept for the US Labor Day holiday, so I could
start on this on 6 Sept.

As always, I appreciate all your comments.

Thanks.

aimee

irc:aimeeu

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

I've gotten a little farther, which leads me to my next question -
does the API support v3 token auth?
or am I making mistakes in my manual testing?

using the CLI on local devstack
1) did not modify openrc
2) source openrc
3) openstack token issue
4)  openstack congress datasource list --os-auth-type v3token
--os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
http://192.168.56.101:5000/v3
--os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose

When the python-congressclient calls the API, this is the response:
RESP BODY: Policy doesn't allow get_v1 to be performed.
Request returned failure status: 403

Log:  http://paste.openstack.org/show/543445/

So then I called the API directly:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache"
-d '{ "auth": {
"identity": {
  "methods": ["password"],
  "password": {
"user": {
  "name": "demo",
  "domain": { "id": "default" },
  "password": "secret"
}
  }
}
  }
}' "http://192.168.56.101:5000/v3/auth/tokens;

Response:
{
  "token": {
"issued_at": "2016-07-28T20:43:44.258137Z",
"audit_ids": [
  "N6tnfbI5QvyRT4xEB7pGCA"
],
"methods": [
  "password"
],
"expires_at": "2016-07-28T21:43:44.258112Z",
"user": {
  "domain": {
"id": "default",
"name": "Default"
  },
  "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
  "name": "demo"
}
  }
}

Then:
curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
"Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources;

Response:
{
  "error": {
"message": "The request you have made requires authentication.",
"code": 401,
"title": "Unauthorized"
  }
}

I'm feeling pretty stupid at the moment, like I've missed something obvious.
Any ideas?

Thanks!

aimee

On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni <anusha.ii...@gmail.com> wrote:
> Hi Aimee,
>
> Thanks for the investigation.
>
> I remember testing congress client with V3 password based authentication ,
> which worked fine .. but never tested with token based .
>
> Please go ahead and fix it , if you think there is any issue .
>
>
> On 22-Jul-2016 9:38 PM, "Aimee Ukasick" <aimeeu.opensou...@gmail.com> wrote:
>>
>> All - I made the change to the auth_url that  Anusha suggested.
>> Same problem as before " Cannot authorize API client"
>> 2016-07-22 14:13:50.835861 * calling policies_list =
>> client.list_policy()*
>> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>> authorize API client.
>>
>> I used the token from the log output to query the Congress API with
>> the keystone v3 token - no issues.
>> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>>
>> So I really think the problem is that the python-congressclient
>> doesn't support identity v3.
>> I thought it did, but then I came across this:
>> "support keystone v3 api and session based authentication "
>> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>> This is currently assigned to Anusha.
>> I'd like to start work on it since I am becoming familiar with keystone
>> v3.
>>
>> Thoughts?
>>
>> aimee
>>
>>
>>
>>
>> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>> <aimeeu.opensou...@gmail.com> wrote:
>> > Thanks Anusha! I will retest this today. I guess I need to learn more
>> > about Horizon as well - thanks for pointing me in the right direction.
>> >
>> > aimee
>> >
>> >
>> >
>> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>> > <anusha.ii...@gmail.com> wrote:
>> >> Hi Aimee,
>> >>
>> >> I think devstack by default configured horizon to use v3 .
>> >> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> >> explicitly to v2 auth_url .
>> >>
>> >> I have always set explicit v2 auth which worked fine.
>> >> For eg:- auth_url = 'http://:5000/v2.0' , for V2
>> >> authentication
>> >>
>> >> I have raised a patch, to take the auth_url from horizon se

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

All - I made the change to the auth_url that  Anusha suggested.
Same problem as before " Cannot authorize API client"
2016-07-22 14:13:50.835861 * calling policies_list =
client.list_policy()*
2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
authorize API client.

I used the token from the log output to query the Congress API with
the keystone v3 token - no issues.
curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;

So I really think the problem is that the python-congressclient
doesn't support identity v3.
I thought it did, but then I came across this:
"support keystone v3 api and session based authentication "
https://bugs.launchpad.net/python-congressclient/+bug/1564361
This is currently assigned to Anusha.
I'd like to start work on it since I am becoming familiar with keystone v3.

Thoughts?

aimee




On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
<aimeeu.opensou...@gmail.com> wrote:
> Thanks Anusha! I will retest this today. I guess I need to learn more
> about Horizon as well - thanks for pointing me in the right direction.
>
> aimee
>
>
>
> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni <anusha.ii...@gmail.com> 
> wrote:
>> Hi Aimee,
>>
>> I think devstack by default configured horizon to use v3 .
>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> explicitly to v2 auth_url .
>>
>> I have always set explicit v2 auth which worked fine.
>> For eg:- auth_url = 'http://:5000/v2.0' , for V2 authentication
>>
>> I have raised a patch, to take the auth_url from horizon settings instead of
>> from request.
>> https://review.openstack.org/#/c/345828/1
>>
>> Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
>> in /openstack_dashboard/local/local_settings.py and restart apache2
>> server . Then v2 authentication should go through fine.
>>
>> For v3 , need to add relevant code for v3 authentication in contrib/horizon
>> as presently it is hardcoded to use only v2. but yes, the code from plugin
>> model patch is still a WIP , so doesn't work for v3 authentication I guess
>> I'll have a look at it and let you know .
>>
>>
>> Best Regards,
>> Anusha
>>
>> On 21 July 2016 at 21:56, Tim Hinrichs <t...@styra.com> wrote:
>>>
>>> So clearly an authentication problem then.
>>>
>>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>>> Keystone authentication most recently, so she's your best bet.)
>>>
>>> Tim
>>>
>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>>> <aimeeu.opensou...@gmail.com> wrote:
>>>>
>>>> The  Policy/Data Sources web page throws the same errors. I am
>>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>>>
>>>> aimee
>>>>
>>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <t...@styra.com> wrote:
>>>> > Hi Aimee,
>>>> >
>>>> > Do the other APIs work?  That is, is it a general problem
>>>> > authenticating, or
>>>> > is the problem limited to list_policies?
>>>> >
>>>> > Tim
>>>> >
>>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>>>> > <aimeeu.opensou...@gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> Hi all,
>>>> >>
>>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>>>> >> for the past 3 days. Anusha is correct - it's an authentication
>>>> >> problem, but I have not been able to fix it.
>>>> >>
>>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>>>> >> added try/catch blocks, logging statements (with error because I
>>>> >> haven't figured out how to set the horizon log level).
>>>> >>
>>>> >>
>>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>>>> >>
>>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>>>> >> The failure happens trying to call
>>>> >> congressclient.v1.client.Client.list_policies().
>>>> >

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

Thanks Anusha! I will retest this today. I guess I need to learn more
about Horizon as well - thanks for pointing me in the right direction.

aimee



On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni <anusha.ii...@gmail.com> wrote:
> Hi Aimee,
>
> I think devstack by default configured horizon to use v3 .
> For V2 authentication, from the logs , auth_url doesn't seem to be set
> explicitly to v2 auth_url .
>
> I have always set explicit v2 auth which worked fine.
> For eg:- auth_url = 'http://:5000/v2.0' , for V2 authentication
>
> I have raised a patch, to take the auth_url from horizon settings instead of
> from request.
> https://review.openstack.org/#/c/345828/1
>
> Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
> in /openstack_dashboard/local/local_settings.py and restart apache2
> server . Then v2 authentication should go through fine.
>
> For v3 , need to add relevant code for v3 authentication in contrib/horizon
> as presently it is hardcoded to use only v2. but yes, the code from plugin
> model patch is still a WIP , so doesn't work for v3 authentication I guess
> I'll have a look at it and let you know .
>
>
> Best Regards,
> Anusha
>
> On 21 July 2016 at 21:56, Tim Hinrichs <t...@styra.com> wrote:
>>
>> So clearly an authentication problem then.
>>
>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>> Keystone authentication most recently, so she's your best bet.)
>>
>> Tim
>>
>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>> <aimeeu.opensou...@gmail.com> wrote:
>>>
>>> The  Policy/Data Sources web page throws the same errors. I am
>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>>
>>> aimee
>>>
>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <t...@styra.com> wrote:
>>> > Hi Aimee,
>>> >
>>> > Do the other APIs work?  That is, is it a general problem
>>> > authenticating, or
>>> > is the problem limited to list_policies?
>>> >
>>> > Tim
>>> >
>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>>> > <aimeeu.opensou...@gmail.com>
>>> > wrote:
>>> >>
>>> >> Hi all,
>>> >>
>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>>> >> for the past 3 days. Anusha is correct - it's an authentication
>>> >> problem, but I have not been able to fix it.
>>> >>
>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>>> >> added try/catch blocks, logging statements (with error because I
>>> >> haven't figured out how to set the horizon log level).
>>> >>
>>> >>
>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>>> >>
>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>>> >> The failure happens trying to call
>>> >> congressclient.v1.client.Client.list_policies().
>>> >> When using v2 auth, the error message is "Unable to get policies list:
>>> >> The resource could not be found"
>>> >> When using v3 auth, the error message is "Cannot authorize API client"
>>> >>
>>> >> I am assuming that congressclient.v1.client.Client is
>>> >>
>>> >>
>>> >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>>> >> and that client.list_policy() calls list_policy()in the
>>> >> python-congressclient
>>> >> which in turn calls the Congress API. Is this correct?
>>> >>
>>> >> Any ideas why with v3 auth, the python-congressclient cannot authorize
>>> >> the
>>> >> call to the API?
>>> >>
>>> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
>>> >> created
>>> >> the client. While the code to create a client is not identical,
>>> >> it is vastly different from the code to create a client
>>> >> in contrib/horizon/congress.py.
>>> >>
>>> >> Thanks in advance for any pointers.
>

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

The  Policy/Data Sources web page throws the same errors. I am
planning to recheck direct API calls using v3 auth today or tomorrow.

aimee

On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <t...@styra.com> wrote:
> Hi Aimee,
>
> Do the other APIs work?  That is, is it a general problem authenticating, or
> is the problem limited to list_policies?
>
> Tim
>
> On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick <aimeeu.opensou...@gmail.com>
> wrote:
>>
>> Hi all,
>>
>> I've been working on Policy UI (Horizon): Unable to get policies
>> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>> for the past 3 days. Anusha is correct - it's an authentication
>> problem, but I have not been able to fix it.
>>
>> I grabbed the relevant code in congress.py from Anusha's horizon
>> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>> added try/catch blocks, logging statements (with error because I
>> haven't figured out how to set the horizon log level).
>>
>>
>> I am testing the code on devstack, which I cloned on 19 July 2016.
>>
>> With both v2 and v3 auth, congressclient.v1.client is created.
>> The failure happens trying to call
>> congressclient.v1.client.Client.list_policies().
>> When using v2 auth, the error message is "Unable to get policies list:
>> The resource could not be found"
>> When using v3 auth, the error message is "Cannot authorize API client"
>>
>> I am assuming that congressclient.v1.client.Client is
>>
>> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>> and that client.list_policy() calls list_policy()in the
>> python-congressclient
>> which in turn calls the Congress API. Is this correct?
>>
>> Any ideas why with v3 auth, the python-congressclient cannot authorize the
>> call to the API?
>>
>> I looked at other horizon plugin models (ceilometer, neutron, nova,
>> cerberus, cloudkitty, trove, designate, manila) to see how they created
>> the client. While the code to create a client is not identical,
>> it is vastly different from the code to create a client
>> in contrib/horizon/congress.py.
>>
>> Thanks in advance for any pointers.
>>
>> aimee
>>
>> Aimee Ukasick (aimeeu)
>>
>> v2 log:
>> 2016-07-20 22:13:56.501455
>> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
>> congress.policies_list(self.request) *
>> 2016-07-20 22:14:30.238318 * self.request.path=
>> /dashboard/admin/policies/
>> 2016-07-20 22:14:30.238352 * congress.policies_list(request)
>> BEGIN*
>> 2016-07-20 22:14:30.238376 * calling client =
>> congressclient(request)*
>> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
>> 2016-07-20 22:14:30.238454 * auth_url= http://192.168.56.103/identity
>> 2016-07-20 22:14:30.238479 * calling get_keystone_session *
>> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
>> auth_url *http://192.168.56.103/identity
>> 2016-07-20 22:14:30.238554 * path= /identity
>> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
>> 2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
>> 2016-07-20 22:14:30.238656 None
>> 2016-07-20 22:14:30.238677 * finished using V2 plugin to
>> authenticate*
>> 2016-07-20 22:14:30.238698 * creating session with auth *
>> 2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
>> 2016-07-20 22:14:30.244462 * regtion_name= RegionOne
>> 2016-07-20 22:14:30.244491 * calling congress_client.Client(**kwargs)
>> 2016-07-20 22:14:30.247830 * congress.congressclient END*
>> 2016-07-20 22:14:30.247902 * calling policies_list =
>> client.list_policy()*
>> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
>> authentication request to http://192.168.56.103/identity/tokens
>> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
>> failure status: 404
>> 2016-07-20 22:14:30.257546 Unable to get policies list: The resource
>> could not be found.
>>
>>
>> v3 log:
>> 2016-07-20 22:09:22.912969
>> 2016-07-20 22:09:31.907119 * view.get_data calling policies =
>> congress.policies_list(self.request) *
>> 2016-07-20 22:09:31.907973 * self.request.path=
>> /dashboard/admin/policies/
>> 2016-07-20 22:09:31.908122 * congress.policies_list(request)
>> BEGIN*
>> 2016-07-20 22:09:31.908250 * calling clien

[openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

[Aimee Ukasick]

Hi all,

I've been working on Policy UI (Horizon): Unable to get policies
list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
for the past 3 days. Anusha is correct - it's an authentication
problem, but I have not been able to fix it.

I grabbed the relevant code in congress.py from Anusha's horizon
plugin model patchset (https://review.openstack.org/#/c/305063/3) and
added try/catch blocks, logging statements (with error because I
haven't figured out how to set the horizon log level).


I am testing the code on devstack, which I cloned on 19 July 2016.

With both v2 and v3 auth, congressclient.v1.client is created.
The failure happens trying to call
congressclient.v1.client.Client.list_policies().
When using v2 auth, the error message is "Unable to get policies list:
The resource could not be found"
When using v3 auth, the error message is "Cannot authorize API client"

I am assuming that congressclient.v1.client.Client is
https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
and that client.list_policy() calls list_policy()in the python-congressclient
which in turn calls the Congress API. Is this correct?

Any ideas why with v3 auth, the python-congressclient cannot authorize the
call to the API?

I looked at other horizon plugin models (ceilometer, neutron, nova,
cerberus, cloudkitty, trove, designate, manila) to see how they created
the client. While the code to create a client is not identical,
it is vastly different from the code to create a client
in contrib/horizon/congress.py.

Thanks in advance for any pointers.

aimee

Aimee Ukasick (aimeeu)

v2 log:
2016-07-20 22:13:56.501455
2016-07-20 22:14:30.238233 * view.get_data calling policies =
congress.policies_list(self.request) *
2016-07-20 22:14:30.238318 * self.request.path= /dashboard/admin/policies/
2016-07-20 22:14:30.238352 * congress.policies_list(request) BEGIN*
2016-07-20 22:14:30.238376 * calling client = congressclient(request)*
2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
2016-07-20 22:14:30.238454 * auth_url= http://192.168.56.103/identity
2016-07-20 22:14:30.238479 * calling get_keystone_session *
2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
auth_url *http://192.168.56.103/identity
2016-07-20 22:14:30.238554 * path= /identity
2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
2016-07-20 22:14:30.238656 None
2016-07-20 22:14:30.238677 * finished using V2 plugin to authenticate*
2016-07-20 22:14:30.238698 * creating session with auth *
2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
2016-07-20 22:14:30.244462 * regtion_name= RegionOne
2016-07-20 22:14:30.244491 * calling congress_client.Client(**kwargs)
2016-07-20 22:14:30.247830 * congress.congressclient END*
2016-07-20 22:14:30.247902 * calling policies_list =
client.list_policy()*
2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
authentication request to http://192.168.56.103/identity/tokens
2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
failure status: 404
2016-07-20 22:14:30.257546 Unable to get policies list: The resource
could not be found.


v3 log:
2016-07-20 22:09:22.912969
2016-07-20 22:09:31.907119 * view.get_data calling policies =
congress.policies_list(self.request) *
2016-07-20 22:09:31.907973 * self.request.path= /dashboard/admin/policies/
2016-07-20 22:09:31.908122 * congress.policies_list(request) BEGIN*
2016-07-20 22:09:31.908250 * calling client = congressclient(request)*
2016-07-20 22:09:31.908386 * congress.congressclient BEGIN*
2016-07-20 22:09:31.909034 * auth_url= http://192.168.56.103/identity
2016-07-20 22:09:31.909217 * calling get_keystone_session *
2016-07-20 22:09:31.909356 * congress.get_keystone_session BEGIN
auth_url *http://192.168.56.103/identity
2016-07-20 22:09:31.909527 * path= /identity
2016-07-20 22:09:31.909795 * using V3 plugin to authenticate*
2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc
2016-07-20 22:09:31.910301 project_name=alt_demo
2016-07-20 22:09:31.910426 domain_name=Default
2016-07-20 22:09:31.910676 project_domain_name=default
2016-07-20 22:09:31.910866 * v3 auth.get_auth_state=
2016-07-20 22:09:31.910992 None
2016-07-20 22:09:31.914053 * finished using V3 plugin to authenticate*
2016-07-20 22:09:31.914100 * creating session with auth *
2016-07-20 22:09:31.922260 * congress.get_keystone_session END*
2016-07-20 22:09:31.922542 * regtion_name= RegionOne
2016-07-20 22:09:31.922676 * calling congress_client.Client(**kwargs)
2016-07-20 22:09:31.922822 * congress.congressclient END*
2016-07-20 22:09:31.