Reviewed: https://review.openstack.org/392944 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=55baf9254d78de2c6e409156e6649875cb7797e3 Submitter: Jenkins Branch: master
commit 55baf9254d78de2c6e409156e6649875cb7797e3 Author: Kam Nasim <kam.na...@windriver.com> Date: Wed Nov 2 19:34:40 2016 +0000 "Unable to retrieve Domain" incessant warning logs "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel. Retrieving domain information is a Keystone admin URL operation. As a pre-check, such operations would be Forbidden if the logon user does not have an 'admin' role on the current project. Since this is a common occurence, and can cause incessant warning logging in the horizon logs, we recognize this condition and return the user's domain information instead. Signed-off-by: Kam Nasim <kam.na...@windriver.com> Closes-Bug: #1638662 Change-Id: Iadd5184a16a73da1da5a7230c89e996248f1eba7 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1638662 Title: "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel Status in OpenStack Dashboard (Horizon): Fix Released Bug description: ==== REPRODUCTION ==== One scenario in horizon where we shall get the "Unable to retrieve Domain: default" incessant logging: 1. Login to horizon as admin 2. Select Identity - Projects panel and switch Projects Cancel 3. Remain on the Identity - Projects panel Result horizon log shows the following warnings, logged at a cadence of 6 seconds... 2016-08-17 20:23:06,128 [INFO] openstack_auth.views: Project switch successful for user "admin" "128.224.141.74". 2016-08-17 20:23:06,156 [INFO] openstack_auth.views: Deleted token db95cc356ca54ea5b3a7bd39a6ec6806 2016-08-17 20:23:06,416 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:11,917 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:17,153 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:22,430 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:27,670 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:32,993 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 2016-08-17 20:23:38,248 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default ==== ANALYSIS ==== Further investigation reveals that the horizon error log (unable to retrieve domain) when switching Projects is because the admin user does NOT have an admin role on this new project (tenant1): {'username': u'admin', 'token': <openstack_auth.user.Token object at 0x7f9e86f0d0d0>, 'project_name': u'tenant1', 'user_id': u'c118176de885401c97314e0d6da8e786', 'roles': [u'_member_'], 'is_admin': False, 'project_id': u'fe71d23184764a25b10d367fd4ed18a1', 'domain_id': u'default'} In Identity V3, all Keystone operations can be done over the internalURL with the exception of domain specific operations, which still go over the adminURL. Therefore Horizon calls Keystone's RBAC policy to ensure that this logged in user has the "admin" role on this project, and if so then use the adminURL. This is not true and therefore we get that incessant log error. When I disable RBAC policy enforcement at Horizon, and Horizon makes the call out to Keystone server, for domain information, it does so using the internalURL which Keystone server rejects. Therefore the Horizon code that re-renders the Identity > Project panel needs to account for this scnenario, i.e. "if the Horizon session does NOT have a domain context, and if the logged in user does NOT have an admin role on the current project, then DO NOT attempt to get the domain from Keystone, but instead use the logged in user's domain and assume it to be the same as the project domain" A new debug log will be added to indicate this scenario: 2016-10-31 21:31:20,267 [DEBUG] openstack_dashboard.api.keystone: Cannot retrieve domain information for user (admin) that does not have an admin role on project (tenant2) To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1638662/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp