Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Hi, Oh wow, for some reason my message was not sent to the list. On 03/20/2017 09:03 PM, Evan Bollig PhD wrote: > Hey Boris, > > Any updates on this? > > Cheers, > -E > -- > Evan F. Bollig, PhD > Scientific Computing Consultant, Application Developer | Scientific > Computing Solutions (SCS) > Minnesota Supercomputing Institute | msi.umn.edu > University of Minnesota | umn.edu > boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 > > > On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhDwrote: >> Hey Boris, >> >> Which mapping? Hope you were looking for the shibboleth user >> mapping. Also, hope this is the right way to share the paste (first >> time using this): >> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/ This is probably part of bug https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure though. Could you please file new bugreport? As for now, you could try doing auto-provisioning using new capabilities from Ocata: https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning >> Cheers, >> -E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >> >> >> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov wrote: >>> Hi, >>> >>> Please paste your mapping to paste.openstack.org >>> >>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: I am on Ocata with Shibboleth auth enabled. I noticed that Federated users with the admin role no longer have authorization to use the Admin** panels in Horizon related to Nova, Cinder and Neutron. All regular Identity and Project tabs function, and there are no problems with authorization for local admin users. - These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, Defaults, Metadata, System Information These result in logout: Instances, Volumes, Networks, Routers, Floating IPs This is not present: Overview - The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: openstack-dashboard-11.0.0-1.el7.noarch python-django-horizon-11.0.0-1.el7.noarch python2-keystonemiddleware-4.14.0-1.el7.noarch python2-keystoneclient-3.10.0-1.el7.noarch openstack-keystone-11.0.0-1.el7.noarch python2-keystoneauth1-2.18.0-1.el7.noarch python-keystone-11.0.0-1.el7.noarch The errors I see in logs are similar to: ==> /var/log/horizon/horizon.log <== 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: Traceback (most recent call last): File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", line 53, in get_tenant_list tenants, has_more = api.keystone.tenant_list(request) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 351, in tenant_list manager = VERSIONS.get_project_manager(request, admin=admin) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 61, in get_project_manager manager = keystoneclient(*args, **kwargs).projects File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 170, in keystoneclient raise exceptions.NotAuthorized NotAuthorized Cheers, -E -- Evan F. Bollig, PhD Scientific Computing Consultant, Application Developer | Scientific Computing Solutions (SCS) Minnesota Supercomputing Institute | msi.umn.edu University of Minnesota | umn.edu boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> __ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Hi, Oh wow, for some reason my message was not sent to the list. On 03/20/2017 09:03 PM, Evan Bollig PhD wrote: > Hey Boris, > > Any updates on this? > > Cheers, > -E > -- > Evan F. Bollig, PhD > Scientific Computing Consultant, Application Developer | Scientific > Computing Solutions (SCS) > Minnesota Supercomputing Institute | msi.umn.edu > University of Minnesota | umn.edu > boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 > > > On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhDwrote: >> Hey Boris, >> >> Which mapping? Hope you were looking for the shibboleth user >> mapping. Also, hope this is the right way to share the paste (first >> time using this): >> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/ This is probably part of bug https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure though. Could you please file new bugreport? As for now, you could try doing auto-provisioning using new capabilities from Ocata: https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning >> Cheers, >> -E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >> >> >> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov wrote: >>> Hi, >>> >>> Please paste your mapping to paste.openstack.org >>> >>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: I am on Ocata with Shibboleth auth enabled. I noticed that Federated users with the admin role no longer have authorization to use the Admin** panels in Horizon related to Nova, Cinder and Neutron. All regular Identity and Project tabs function, and there are no problems with authorization for local admin users. - These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, Defaults, Metadata, System Information These result in logout: Instances, Volumes, Networks, Routers, Floating IPs This is not present: Overview - The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: openstack-dashboard-11.0.0-1.el7.noarch python-django-horizon-11.0.0-1.el7.noarch python2-keystonemiddleware-4.14.0-1.el7.noarch python2-keystoneclient-3.10.0-1.el7.noarch openstack-keystone-11.0.0-1.el7.noarch python2-keystoneauth1-2.18.0-1.el7.noarch python-keystone-11.0.0-1.el7.noarch The errors I see in logs are similar to: ==> /var/log/horizon/horizon.log <== 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: Traceback (most recent call last): File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", line 53, in get_tenant_list tenants, has_more = api.keystone.tenant_list(request) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 351, in tenant_list manager = VERSIONS.get_project_manager(request, admin=admin) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 61, in get_project_manager manager = keystoneclient(*args, **kwargs).projects File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 170, in keystoneclient raise exceptions.NotAuthorized NotAuthorized Cheers, -E -- Evan F. Bollig, PhD Scientific Computing Consultant, Application Developer | Scientific Computing Solutions (SCS) Minnesota Supercomputing Institute | msi.umn.edu University of Minnesota | umn.edu boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> __ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Hey Boris, Any updates on this? Cheers, -E -- Evan F. Bollig, PhD Scientific Computing Consultant, Application Developer | Scientific Computing Solutions (SCS) Minnesota Supercomputing Institute | msi.umn.edu University of Minnesota | umn.edu boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhDwrote: > Hey Boris, > > Which mapping? Hope you were looking for the shibboleth user > mapping. Also, hope this is the right way to share the paste (first > time using this): > http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/ > > Cheers, > -E > -- > Evan F. Bollig, PhD > Scientific Computing Consultant, Application Developer | Scientific > Computing Solutions (SCS) > Minnesota Supercomputing Institute | msi.umn.edu > University of Minnesota | umn.edu > boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 > > > On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov wrote: >> Hi, >> >> Please paste your mapping to paste.openstack.org >> >> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: >>> I am on Ocata with Shibboleth auth enabled. I noticed that Federated >>> users with the admin role no longer have authorization to use the >>> Admin** panels in Horizon related to Nova, Cinder and Neutron. All >>> regular Identity and Project tabs function, and there are no problems >>> with authorization for local admin users. >>> >>> - >>> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, >>> Defaults, Metadata, System Information >>> >>> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs >>> >>> This is not present: Overview >>> - >>> >>> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: >>> openstack-dashboard-11.0.0-1.el7.noarch >>> python-django-horizon-11.0.0-1.el7.noarch >>> python2-keystonemiddleware-4.14.0-1.el7.noarch >>> python2-keystoneclient-3.10.0-1.el7.noarch >>> openstack-keystone-11.0.0-1.el7.noarch >>> python2-keystoneauth1-2.18.0-1.el7.noarch >>> python-keystone-11.0.0-1.el7.noarch >>> >>> The errors I see in logs are similar to: >>> >>> ==> /var/log/horizon/horizon.log <== >>> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: >>> Traceback (most recent call last): >>> File >>> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", >>> line 53, in get_tenant_list >>> tenants, has_more = api.keystone.tenant_list(request) >>> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>> line 351, in tenant_list >>> manager = VERSIONS.get_project_manager(request, admin=admin) >>> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>> line 61, in get_project_manager >>> manager = keystoneclient(*args, **kwargs).projects >>> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>> line 170, in keystoneclient >>> raise exceptions.NotAuthorized >>> NotAuthorized >>> >>> Cheers, >>> -E >>> -- >>> Evan F. Bollig, PhD >>> Scientific Computing Consultant, Application Developer | Scientific >>> Computing Solutions (SCS) >>> Minnesota Supercomputing Institute | msi.umn.edu >>> University of Minnesota | umn.edu >>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >>> >>> __ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Hey Boris, Which mapping? Hope you were looking for the shibboleth user mapping. Also, hope this is the right way to share the paste (first time using this): http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/ Cheers, -E -- Evan F. Bollig, PhD Scientific Computing Consultant, Application Developer | Scientific Computing Solutions (SCS) Minnesota Supercomputing Institute | msi.umn.edu University of Minnesota | umn.edu boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrovwrote: > Hi, > > Please paste your mapping to paste.openstack.org > > On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: >> I am on Ocata with Shibboleth auth enabled. I noticed that Federated >> users with the admin role no longer have authorization to use the >> Admin** panels in Horizon related to Nova, Cinder and Neutron. All >> regular Identity and Project tabs function, and there are no problems >> with authorization for local admin users. >> >> - >> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, >> Defaults, Metadata, System Information >> >> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs >> >> This is not present: Overview >> - >> >> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: >> openstack-dashboard-11.0.0-1.el7.noarch >> python-django-horizon-11.0.0-1.el7.noarch >> python2-keystonemiddleware-4.14.0-1.el7.noarch >> python2-keystoneclient-3.10.0-1.el7.noarch >> openstack-keystone-11.0.0-1.el7.noarch >> python2-keystoneauth1-2.18.0-1.el7.noarch >> python-keystone-11.0.0-1.el7.noarch >> >> The errors I see in logs are similar to: >> >> ==> /var/log/horizon/horizon.log <== >> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: >> Traceback (most recent call last): >> File >> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", >> line 53, in get_tenant_list >> tenants, has_more = api.keystone.tenant_list(request) >> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >> line 351, in tenant_list >> manager = VERSIONS.get_project_manager(request, admin=admin) >> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >> line 61, in get_project_manager >> manager = keystoneclient(*args, **kwargs).projects >> File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >> line 170, in keystoneclient >> raise exceptions.NotAuthorized >> NotAuthorized >> >> Cheers, >> -E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels
Hi, Please paste your mapping to paste.openstack.org On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: > I am on Ocata with Shibboleth auth enabled. I noticed that Federated > users with the admin role no longer have authorization to use the > Admin** panels in Horizon related to Nova, Cinder and Neutron. All > regular Identity and Project tabs function, and there are no problems > with authorization for local admin users. > > - > These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, > Defaults, Metadata, System Information > > These result in logout: Instances, Volumes, Networks, Routers, Floating IPs > > This is not present: Overview > - > > The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: > openstack-dashboard-11.0.0-1.el7.noarch > python-django-horizon-11.0.0-1.el7.noarch > python2-keystonemiddleware-4.14.0-1.el7.noarch > python2-keystoneclient-3.10.0-1.el7.noarch > openstack-keystone-11.0.0-1.el7.noarch > python2-keystoneauth1-2.18.0-1.el7.noarch > python-keystone-11.0.0-1.el7.noarch > > The errors I see in logs are similar to: > > ==> /var/log/horizon/horizon.log <== > 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: > Traceback (most recent call last): > File > "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", > line 53, in get_tenant_list > tenants, has_more = api.keystone.tenant_list(request) > File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", > line 351, in tenant_list > manager = VERSIONS.get_project_manager(request, admin=admin) > File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", > line 61, in get_project_manager > manager = keystoneclient(*args, **kwargs).projects > File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", > line 170, in keystoneclient > raise exceptions.NotAuthorized > NotAuthorized > > Cheers, > -E > -- > Evan F. Bollig, PhD > Scientific Computing Consultant, Application Developer | Scientific > Computing Solutions (SCS) > Minnesota Supercomputing Institute | msi.umn.edu > University of Minnesota | umn.edu > boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev