Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-09-16 Thread Aimee Ukasick 
Eric - I added some info to the bug report
https://bugs.launchpad.net/congress/+bug/1602837

My version of DevStack uses keystone v2 for everything. However, I
found this line in the Horizon log:

"The Keystone URL (either in Horizon settings or in service catalog)
points to a v2.0 Keystone endpoint,
but v3 is specified as the API version to use by Horizon. Using v3
endpoint for authentication."


So when I hard-coded the auth_url to be v2.0, the pages loaded data as
expected.
I used your "replace" and will upload a patch asap.

Thanks!

aimee




On Thu, Sep 15, 2016 at 10:05 PM, Eric K  wrote:
> Anusha and Aimee,
>
> Circling back on this issue: it seems that you are seeing different things
> with regards to horizon authentication using keystone v2. I think we can
> make good progress if we can clarify where we stand.
>
> Anusha said setting the auth_url explicitly to v2 works. Aimee said it
> didn¹t.
>
> So just to clarify:
>
> 1. Anusha did you mean set this line
> https://github.com/openstack/congress/blob/master/congress_dashboard/api/co
> ngress.py#L75
> To:
> `auth_url = 'http://:5000/v2.0¹` ?
>
> 2. Aimee, is that what you tried?
>
> 3. Do you still get different results?
>
> From Anusha¹s commit message in this patch
> (https://review.openstack.org/#/c/305063/), the current code should fail
> because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75]
> grabs the .../v3 URL (devstack default), yet `auth =
> keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So
> could we have a workaround simply by doing something like `auth_url =
> auth_url.replace('v3', 'v2.0¹)`? (*)
>
> Thanks again for all the investigative work!
>
> Eric
>
> (*) Another potential issue is ports:
> https://ask.openstack.org/en/question/67846/difference-between-keystone-por
> t-5000-and-35357/
>
> On 7/22/16, 9:06 AM, "Aimee Ukasick"  wrote:
>
>>All - I made the change to the auth_url that  Anusha suggested.
>>Same problem as before " Cannot authorize API client"
>>2016-07-22 14:13:50.835861 * calling policies_list =
>>client.list_policy()*
>>2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>>authorize API client.
>>
>>I used the token from the log output to query the Congress API with
>>the keystone v3 token - no issues.
>>curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>>"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>>
>>So I really think the problem is that the python-congressclient
>>doesn't support identity v3.
>>I thought it did, but then I came across this:
>>"support keystone v3 api and session based authentication "
>>https://bugs.launchpad.net/python-congressclient/+bug/1564361
>>This is currently assigned to Anusha.
>>I'd like to start work on it since I am becoming familiar with keystone
>>v3.
>>
>>Thoughts?
>>
>>aimee
>>
>>
>>
>>
>>On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>> wrote:
>>> Thanks Anusha! I will retest this today. I guess I need to learn more
>>> about Horizon as well - thanks for pointing me in the right direction.
>>>
>>> aimee
>>>
>>>
>>>
>>> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>>> wrote:
 Hi Aimee,

 I think devstack by default configured horizon to use v3 .
 For V2 authentication, from the logs , auth_url doesn't seem to be set
 explicitly to v2 auth_url .

 I have always set explicit v2 auth which worked fine.
 For eg:- auth_url = 'http://:5000/v2.0' , for V2
authentication

 I have raised a patch, to take the auth_url from horizon settings
instead of
 from request.
 https://review.openstack.org/#/c/345828/1

 Please set explict v2 auth_url as mentioned above in
OPENSTACK_KESYTONE_URL
 in /openstack_dashboard/local/local_settings.py and restart
apache2
 server . Then v2 authentication should go through fine.

 For v3 , need to add relevant code for v3 authentication in
contrib/horizon
 as presently it is hardcoded to use only v2. but yes, the code from
plugin
 model patch is still a WIP , so doesn't work for v3 authentication I
guess
 I'll have a look at it and let you know .


 Best Regards,
 Anusha

 On 21 July 2016 at 21:56, Tim Hinrichs  wrote:
>
> So clearly an authentication problem then.
>
> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
> Keystone authentication most recently, so she's your best bet.)
>
> Tim
>
> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>  wrote:
>>
>> The  Policy/Data Sources web page throws the same errors. I am
>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>
>> aimee
>>
>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
>> >

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-09-15 Thread Eric K 
Anusha and Aimee,

Circling back on this issue: it seems that you are seeing different things
with regards to horizon authentication using keystone v2. I think we can
make good progress if we can clarify where we stand.

Anusha said setting the auth_url explicitly to v2 works. Aimee said it
didn¹t.

So just to clarify:

1. Anusha did you mean set this line
https://github.com/openstack/congress/blob/master/congress_dashboard/api/co
ngress.py#L75
To:
`auth_url = 'http://:5000/v2.0¹` ?

2. Aimee, is that what you tried?

3. Do you still get different results?

>From Anusha¹s commit message in this patch
(https://review.openstack.org/#/c/305063/), the current code should fail
because `auth_url = getattr(settings, 'OPENSTACK_KEYSTONE_URL¹)`[L75]
grabs the .../v3 URL (devstack default), yet `auth =
keystoneclient.auth.identity.v2.Token(`[L77] expects a .../v2.0 URL. So
could we have a workaround simply by doing something like `auth_url =
auth_url.replace('v3', 'v2.0¹)`? (*)

Thanks again for all the investigative work!

Eric

(*) Another potential issue is ports:
https://ask.openstack.org/en/question/67846/difference-between-keystone-por
t-5000-and-35357/

On 7/22/16, 9:06 AM, "Aimee Ukasick"  wrote:

>All - I made the change to the auth_url that  Anusha suggested.
>Same problem as before " Cannot authorize API client"
>2016-07-22 14:13:50.835861 * calling policies_list =
>client.list_policy()*
>2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>authorize API client.
>
>I used the token from the log output to query the Congress API with
>the keystone v3 token - no issues.
>curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>
>So I really think the problem is that the python-congressclient
>doesn't support identity v3.
>I thought it did, but then I came across this:
>"support keystone v3 api and session based authentication "
>https://bugs.launchpad.net/python-congressclient/+bug/1564361
>This is currently assigned to Anusha.
>I'd like to start work on it since I am becoming familiar with keystone
>v3.
>
>Thoughts?
>
>aimee
>
>
>
>
>On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
> wrote:
>> Thanks Anusha! I will retest this today. I guess I need to learn more
>> about Horizon as well - thanks for pointing me in the right direction.
>>
>> aimee
>>
>>
>>
>> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>> wrote:
>>> Hi Aimee,
>>>
>>> I think devstack by default configured horizon to use v3 .
>>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>>> explicitly to v2 auth_url .
>>>
>>> I have always set explicit v2 auth which worked fine.
>>> For eg:- auth_url = 'http://:5000/v2.0' , for V2
>>>authentication
>>>
>>> I have raised a patch, to take the auth_url from horizon settings
>>>instead of
>>> from request.
>>> https://review.openstack.org/#/c/345828/1
>>>
>>> Please set explict v2 auth_url as mentioned above in
>>>OPENSTACK_KESYTONE_URL
>>> in /openstack_dashboard/local/local_settings.py and restart
>>>apache2
>>> server . Then v2 authentication should go through fine.
>>>
>>> For v3 , need to add relevant code for v3 authentication in
>>>contrib/horizon
>>> as presently it is hardcoded to use only v2. but yes, the code from
>>>plugin
>>> model patch is still a WIP , so doesn't work for v3 authentication I
>>>guess
>>> I'll have a look at it and let you know .
>>>
>>>
>>> Best Regards,
>>> Anusha
>>>
>>> On 21 July 2016 at 21:56, Tim Hinrichs  wrote:

 So clearly an authentication problem then.

 Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
 Keystone authentication most recently, so she's your best bet.)

 Tim

 On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
  wrote:
>
> The  Policy/Data Sources web page throws the same errors. I am
> planning to recheck direct API calls using v3 auth today or tomorrow.
>
> aimee
>
> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
> > Hi Aimee,
> >
> > Do the other APIs work?  That is, is it a general problem
> > authenticating, or
> > is the problem limited to list_policies?
> >
> > Tim
> >
> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
> > 
> > wrote:
> >>
> >> Hi all,
> >>
> >> I've been working on Policy UI (Horizon): Unable to get policies
> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
> >> for the past 3 days. Anusha is correct - it's an authentication
> >> problem, but I have not been able to fix it.
> >>
> >> I grabbed the relevant code in congress.py from Anusha's horizon
> >> plugin model patchset (https://review.openstack.org/#/c/305063/3)
>and
> >>

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-29 Thread Adam Young 

On 07/28/2016 10:05 PM, Tim Hinrichs wrote:


I've never worked on the authentication details, so this may be off 
track, but that error message indicates the failure is happening 
inside Congress's oslo_policy.


Error message shows up here as a Python exception class.
https://github.com/openstack/congress/blob/master/congress/exception.py#L135

That exception class is instantiated only here
https://github.com/openstack/congress/blob/master/congress/common/policy.py#L93 



The code that uses the instantiated exception class (which actually 
does the enforcement):

https://github.com/openstack/congress/blob/7c2f4132b9693e7969e704cb9914963274c2c4a1/congress/api/webservice.py#L373

I don't remember off the top of my head how the default policy.json 
gets created, but I'm sure the admin credentials will work.  You might 
want to ensure you're logged in as the admin with...


$ source openrc admin admin



IN most projects, policy is enforced against an oslo-context object.  
That shouild abstract away the differences between V2 and V3 keystone 
token formats.


Make sure that the policy is not dying on something specific to one 
version or the other.  Post the actual rule executed, please.





Tim

On Thu, Jul 28, 2016 at 1:56 PM Aimee Ukasick 
> wrote:


I've gotten a little farther, which leads me to my next question -
does the API support v3 token auth?
or am I making mistakes in my manual testing?

using the CLI on local devstack
1) did not modify openrc
2) source openrc
3) openstack token issue
4)  openstack congress datasource list --os-auth-type v3token
--os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
http://192.168.56.101:5000/v3
--os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose

When the python-congressclient calls the API, this is the response:
RESP BODY: Policy doesn't allow get_v1 to be performed.
Request returned failure status: 403

Log: http://paste.openstack.org/show/543445/

So then I called the API directly:
curl -X POST -H "Content-Type: application/json" -H
"Cache-Control: no-cache"
-d '{ "auth": {
"identity": {
  "methods": ["password"],
  "password": {
"user": {
  "name": "demo",
  "domain": { "id": "default" },
  "password": "secret"
}
  }
}
  }
}' "http://192.168.56.101:5000/v3/auth/tokens;

Response:
{
  "token": {
"issued_at": "2016-07-28T20:43:44.258137Z",
"audit_ids": [
  "N6tnfbI5QvyRT4xEB7pGCA"
],
"methods": [
  "password"
],
"expires_at": "2016-07-28T21:43:44.258112Z",
"user": {
  "domain": {
"id": "default",
"name": "Default"
  },
  "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
  "name": "demo"
}
  }
}

Then:
curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
"Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources;

Response:
{
  "error": {
"message": "The request you have made requires authentication.",
"code": 401,
"title": "Unauthorized"
  }
}

I'm feeling pretty stupid at the moment, like I've missed
something obvious.
Any ideas?

Thanks!

aimee

On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni
> wrote:
> Hi Aimee,
>
> Thanks for the investigation.
>
> I remember testing congress client with V3 password based
authentication ,
> which worked fine .. but never tested with token based .
>
> Please go ahead and fix it , if you think there is any issue .
>
>
> On 22-Jul-2016 9:38 PM, "Aimee Ukasick"
>
wrote:
>>
>> All - I made the change to the auth_url that Anusha suggested.
>> Same problem as before " Cannot authorize API client"
>> 2016-07-22 14:13:50.835861 * calling policies_list =
>> client.list_policy()*
>> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>> authorize API client.
>>
>> I used the token from the log output to query the Congress API with
>> the keystone v3 token - no issues.
>> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>>
>> So I really think the problem is that the python-congressclient
>> doesn't support identity v3.
>> I thought it did, but then I came across this:
>> "support keystone v3 api and session based authentication "
>> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>> This is currently assigned to Anusha.
>> I'd like to start

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-28 Thread Tim Hinrichs 
I've never worked on the authentication details, so this may be off track,
but that error message indicates the failure is happening inside Congress's
oslo_policy.

Error message shows up here as a Python exception class.
https://github.com/openstack/congress/blob/master/congress/exception.py#L135

That exception class is instantiated only here
https://github.com/openstack/congress/blob/master/congress/common/policy.py#L93

The code that uses the instantiated exception class (which actually does
the enforcement):
https://github.com/openstack/congress/blob/7c2f4132b9693e7969e704cb9914963274c2c4a1/congress/api/webservice.py#L373

I don't remember off the top of my head how the default policy.json gets
created, but I'm sure the admin credentials will work.  You might want to
ensure you're logged in as the admin with...

$ source openrc admin admin

Tim

On Thu, Jul 28, 2016 at 1:56 PM Aimee Ukasick 
wrote:

> I've gotten a little farther, which leads me to my next question -
> does the API support v3 token auth?
> or am I making mistakes in my manual testing?
>
> using the CLI on local devstack
> 1) did not modify openrc
> 2) source openrc
> 3) openstack token issue
> 4)  openstack congress datasource list --os-auth-type v3token
> --os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
> http://192.168.56.101:5000/v3
> --os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose
>
> When the python-congressclient calls the API, this is the response:
> RESP BODY: Policy doesn't allow get_v1 to be performed.
> Request returned failure status: 403
>
> Log:  http://paste.openstack.org/show/543445/
>
> So then I called the API directly:
> curl -X POST -H "Content-Type: application/json" -H "Cache-Control:
> no-cache"
> -d '{ "auth": {
> "identity": {
>   "methods": ["password"],
>   "password": {
> "user": {
>   "name": "demo",
>   "domain": { "id": "default" },
>   "password": "secret"
> }
>   }
> }
>   }
> }' "http://192.168.56.101:5000/v3/auth/tokens;
>
> Response:
> {
>   "token": {
> "issued_at": "2016-07-28T20:43:44.258137Z",
> "audit_ids": [
>   "N6tnfbI5QvyRT4xEB7pGCA"
> ],
> "methods": [
>   "password"
> ],
> "expires_at": "2016-07-28T21:43:44.258112Z",
> "user": {
>   "domain": {
> "id": "default",
> "name": "Default"
>   },
>   "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
>   "name": "demo"
> }
>   }
> }
>
> Then:
> curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
> "Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources;
>
> Response:
> {
>   "error": {
> "message": "The request you have made requires authentication.",
> "code": 401,
> "title": "Unauthorized"
>   }
> }
>
> I'm feeling pretty stupid at the moment, like I've missed something
> obvious.
> Any ideas?
>
> Thanks!
>
> aimee
>
> On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni 
> wrote:
> > Hi Aimee,
> >
> > Thanks for the investigation.
> >
> > I remember testing congress client with V3 password based authentication
> ,
> > which worked fine .. but never tested with token based .
> >
> > Please go ahead and fix it , if you think there is any issue .
> >
> >
> > On 22-Jul-2016 9:38 PM, "Aimee Ukasick" 
> wrote:
> >>
> >> All - I made the change to the auth_url that  Anusha suggested.
> >> Same problem as before " Cannot authorize API client"
> >> 2016-07-22 14:13:50.835861 * calling policies_list =
> >> client.list_policy()*
> >> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
> >> authorize API client.
> >>
> >> I used the token from the log output to query the Congress API with
> >> the keystone v3 token - no issues.
> >> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
> >> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
> >>
> >> So I really think the problem is that the python-congressclient
> >> doesn't support identity v3.
> >> I thought it did, but then I came across this:
> >> "support keystone v3 api and session based authentication "
> >> https://bugs.launchpad.net/python-congressclient/+bug/1564361
> >> This is currently assigned to Anusha.
> >> I'd like to start work on it since I am becoming familiar with keystone
> >> v3.
> >>
> >> Thoughts?
> >>
> >> aimee
> >>
> >>
> >>
> >>
> >> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
> >>  wrote:
> >> > Thanks Anusha! I will retest this today. I guess I need to learn more
> >> > about Horizon as well - thanks for pointing me in the right direction.
> >> >
> >> > aimee
> >> >
> >> >
> >> >
> >> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
> >> >  wrote:
> >> >> Hi Aimee,
> >> >>
> >> >> I think devstack by default configured horizon to use v3 .
> >> >> For V2 authentication, from the logs , auth_url doesn't

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-28 Thread Aimee Ukasick 
I've gotten a little farther, which leads me to my next question -
does the API support v3 token auth?
or am I making mistakes in my manual testing?

using the CLI on local devstack
1) did not modify openrc
2) source openrc
3) openstack token issue
4)  openstack congress datasource list --os-auth-type v3token
--os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url
http://192.168.56.101:5000/v3
--os-project-id da9a9ba573c34c18a037fd04812d81bc   --debug --verbose

When the python-congressclient calls the API, this is the response:
RESP BODY: Policy doesn't allow get_v1 to be performed.
Request returned failure status: 403

Log:  http://paste.openstack.org/show/543445/

So then I called the API directly:
curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache"
-d '{ "auth": {
"identity": {
  "methods": ["password"],
  "password": {
"user": {
  "name": "demo",
  "domain": { "id": "default" },
  "password": "secret"
}
  }
}
  }
}' "http://192.168.56.101:5000/v3/auth/tokens;

Response:
{
  "token": {
"issued_at": "2016-07-28T20:43:44.258137Z",
"audit_ids": [
  "N6tnfbI5QvyRT4xEB7pGCA"
],
"methods": [
  "password"
],
"expires_at": "2016-07-28T21:43:44.258112Z",
"user": {
  "domain": {
"id": "default",
"name": "Default"
  },
  "id": "f2bf5189bbd7466cbecc1b1315cff3b5",
  "name": "demo"
}
  }
}

Then:
curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H
"Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources;

Response:
{
  "error": {
"message": "The request you have made requires authentication.",
"code": 401,
"title": "Unauthorized"
  }
}

I'm feeling pretty stupid at the moment, like I've missed something obvious.
Any ideas?

Thanks!

aimee

On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni  wrote:
> Hi Aimee,
>
> Thanks for the investigation.
>
> I remember testing congress client with V3 password based authentication ,
> which worked fine .. but never tested with token based .
>
> Please go ahead and fix it , if you think there is any issue .
>
>
> On 22-Jul-2016 9:38 PM, "Aimee Ukasick"  wrote:
>>
>> All - I made the change to the auth_url that  Anusha suggested.
>> Same problem as before " Cannot authorize API client"
>> 2016-07-22 14:13:50.835861 * calling policies_list =
>> client.list_policy()*
>> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
>> authorize API client.
>>
>> I used the token from the log output to query the Congress API with
>> the keystone v3 token - no issues.
>> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
>> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>>
>> So I really think the problem is that the python-congressclient
>> doesn't support identity v3.
>> I thought it did, but then I came across this:
>> "support keystone v3 api and session based authentication "
>> https://bugs.launchpad.net/python-congressclient/+bug/1564361
>> This is currently assigned to Anusha.
>> I'd like to start work on it since I am becoming familiar with keystone
>> v3.
>>
>> Thoughts?
>>
>> aimee
>>
>>
>>
>>
>> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>>  wrote:
>> > Thanks Anusha! I will retest this today. I guess I need to learn more
>> > about Horizon as well - thanks for pointing me in the right direction.
>> >
>> > aimee
>> >
>> >
>> >
>> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni
>> >  wrote:
>> >> Hi Aimee,
>> >>
>> >> I think devstack by default configured horizon to use v3 .
>> >> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> >> explicitly to v2 auth_url .
>> >>
>> >> I have always set explicit v2 auth which worked fine.
>> >> For eg:- auth_url = 'http://:5000/v2.0' , for V2
>> >> authentication
>> >>
>> >> I have raised a patch, to take the auth_url from horizon settings
>> >> instead of
>> >> from request.
>> >> https://review.openstack.org/#/c/345828/1
>> >>
>> >> Please set explict v2 auth_url as mentioned above in
>> >> OPENSTACK_KESYTONE_URL
>> >> in /openstack_dashboard/local/local_settings.py and restart
>> >> apache2
>> >> server . Then v2 authentication should go through fine.
>> >>
>> >> For v3 , need to add relevant code for v3 authentication in
>> >> contrib/horizon
>> >> as presently it is hardcoded to use only v2. but yes, the code from
>> >> plugin
>> >> model patch is still a WIP , so doesn't work for v3 authentication I
>> >> guess
>> >> I'll have a look at it and let you know .
>> >>
>> >>
>> >> Best Regards,
>> >> Anusha
>> >>
>> >> On 21 July 2016 at 21:56, Tim Hinrichs  wrote:
>> >>>
>> >>> So clearly an authentication problem then.
>> >>>
>> >>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>> >>> Keystone authentication most

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-22 Thread Anusha Ramineni 
Hi Aimee,

Thanks for the investigation.

I remember testing congress client with V3 password based authentication ,
which worked fine .. but never tested with token based .

Please go ahead and fix it , if you think there is any issue .

On 22-Jul-2016 9:38 PM, "Aimee Ukasick"  wrote:

> All - I made the change to the auth_url that  Anusha suggested.
> Same problem as before " Cannot authorize API client"
> 2016-07-22 14:13:50.835861 * calling policies_list =
> client.list_policy()*
> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
> authorize API client.
>
> I used the token from the log output to query the Congress API with
> the keystone v3 token - no issues.
> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;
>
> So I really think the problem is that the python-congressclient
> doesn't support identity v3.
> I thought it did, but then I came across this:
> "support keystone v3 api and session based authentication "
> https://bugs.launchpad.net/python-congressclient/+bug/1564361
> This is currently assigned to Anusha.
> I'd like to start work on it since I am becoming familiar with keystone v3.
>
> Thoughts?
>
> aimee
>
>
>
>
> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
>  wrote:
> > Thanks Anusha! I will retest this today. I guess I need to learn more
> > about Horizon as well - thanks for pointing me in the right direction.
> >
> > aimee
> >
> >
> >
> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni 
> wrote:
> >> Hi Aimee,
> >>
> >> I think devstack by default configured horizon to use v3 .
> >> For V2 authentication, from the logs , auth_url doesn't seem to be set
> >> explicitly to v2 auth_url .
> >>
> >> I have always set explicit v2 auth which worked fine.
> >> For eg:- auth_url = 'http://:5000/v2.0' , for V2
> authentication
> >>
> >> I have raised a patch, to take the auth_url from horizon settings
> instead of
> >> from request.
> >> https://review.openstack.org/#/c/345828/1
> >>
> >> Please set explict v2 auth_url as mentioned above in
> OPENSTACK_KESYTONE_URL
> >> in /openstack_dashboard/local/local_settings.py and restart
> apache2
> >> server . Then v2 authentication should go through fine.
> >>
> >> For v3 , need to add relevant code for v3 authentication in
> contrib/horizon
> >> as presently it is hardcoded to use only v2. but yes, the code from
> plugin
> >> model patch is still a WIP , so doesn't work for v3 authentication I
> guess
> >> I'll have a look at it and let you know .
> >>
> >>
> >> Best Regards,
> >> Anusha
> >>
> >> On 21 July 2016 at 21:56, Tim Hinrichs  wrote:
> >>>
> >>> So clearly an authentication problem then.
> >>>
> >>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
> >>> Keystone authentication most recently, so she's your best bet.)
> >>>
> >>> Tim
> >>>
> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
> >>>  wrote:
> 
>  The  Policy/Data Sources web page throws the same errors. I am
>  planning to recheck direct API calls using v3 auth today or tomorrow.
> 
>  aimee
> 
>  On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
>  > Hi Aimee,
>  >
>  > Do the other APIs work?  That is, is it a general problem
>  > authenticating, or
>  > is the problem limited to list_policies?
>  >
>  > Tim
>  >
>  > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>  > 
>  > wrote:
>  >>
>  >> Hi all,
>  >>
>  >> I've been working on Policy UI (Horizon): Unable to get policies
>  >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>  >> for the past 3 days. Anusha is correct - it's an authentication
>  >> problem, but I have not been able to fix it.
>  >>
>  >> I grabbed the relevant code in congress.py from Anusha's horizon
>  >> plugin model patchset (https://review.openstack.org/#/c/305063/3)
> and
>  >> added try/catch blocks, logging statements (with error because I
>  >> haven't figured out how to set the horizon log level).
>  >>
>  >>
>  >> I am testing the code on devstack, which I cloned on 19 July 2016.
>  >>
>  >> With both v2 and v3 auth, congressclient.v1.client is created.
>  >> The failure happens trying to call
>  >> congressclient.v1.client.Client.list_policies().
>  >> When using v2 auth, the error message is "Unable to get policies
> list:
>  >> The resource could not be found"
>  >> When using v3 auth, the error message is "Cannot authorize API
> client"
>  >>
>  >> I am assuming that congressclient.v1.client.Client is
>  >>
>  >>
>  >>
> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>  >> and that

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-22 Thread Aimee Ukasick 
All - I made the change to the auth_url that  Anusha suggested.
Same problem as before " Cannot authorize API client"
2016-07-22 14:13:50.835861 * calling policies_list =
client.list_policy()*
2016-07-22 14:13:50.836062 Unable to get policies list: Cannot
authorize API client.

I used the token from the log output to query the Congress API with
the keystone v3 token - no issues.
curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H
"Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies;

So I really think the problem is that the python-congressclient
doesn't support identity v3.
I thought it did, but then I came across this:
"support keystone v3 api and session based authentication "
https://bugs.launchpad.net/python-congressclient/+bug/1564361
This is currently assigned to Anusha.
I'd like to start work on it since I am becoming familiar with keystone v3.

Thoughts?

aimee




On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick
 wrote:
> Thanks Anusha! I will retest this today. I guess I need to learn more
> about Horizon as well - thanks for pointing me in the right direction.
>
> aimee
>
>
>
> On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni  
> wrote:
>> Hi Aimee,
>>
>> I think devstack by default configured horizon to use v3 .
>> For V2 authentication, from the logs , auth_url doesn't seem to be set
>> explicitly to v2 auth_url .
>>
>> I have always set explicit v2 auth which worked fine.
>> For eg:- auth_url = 'http://:5000/v2.0' , for V2 authentication
>>
>> I have raised a patch, to take the auth_url from horizon settings instead of
>> from request.
>> https://review.openstack.org/#/c/345828/1
>>
>> Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
>> in /openstack_dashboard/local/local_settings.py and restart apache2
>> server . Then v2 authentication should go through fine.
>>
>> For v3 , need to add relevant code for v3 authentication in contrib/horizon
>> as presently it is hardcoded to use only v2. but yes, the code from plugin
>> model patch is still a WIP , so doesn't work for v3 authentication I guess
>> I'll have a look at it and let you know .
>>
>>
>> Best Regards,
>> Anusha
>>
>> On 21 July 2016 at 21:56, Tim Hinrichs  wrote:
>>>
>>> So clearly an authentication problem then.
>>>
>>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>>> Keystone authentication most recently, so she's your best bet.)
>>>
>>> Tim
>>>
>>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>>>  wrote:

 The  Policy/Data Sources web page throws the same errors. I am
 planning to recheck direct API calls using v3 auth today or tomorrow.

 aimee

 On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
 > Hi Aimee,
 >
 > Do the other APIs work?  That is, is it a general problem
 > authenticating, or
 > is the problem limited to list_policies?
 >
 > Tim
 >
 > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
 > 
 > wrote:
 >>
 >> Hi all,
 >>
 >> I've been working on Policy UI (Horizon): Unable to get policies
 >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
 >> for the past 3 days. Anusha is correct - it's an authentication
 >> problem, but I have not been able to fix it.
 >>
 >> I grabbed the relevant code in congress.py from Anusha's horizon
 >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
 >> added try/catch blocks, logging statements (with error because I
 >> haven't figured out how to set the horizon log level).
 >>
 >>
 >> I am testing the code on devstack, which I cloned on 19 July 2016.
 >>
 >> With both v2 and v3 auth, congressclient.v1.client is created.
 >> The failure happens trying to call
 >> congressclient.v1.client.Client.list_policies().
 >> When using v2 auth, the error message is "Unable to get policies list:
 >> The resource could not be found"
 >> When using v3 auth, the error message is "Cannot authorize API client"
 >>
 >> I am assuming that congressclient.v1.client.Client is
 >>
 >>
 >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
 >> and that client.list_policy() calls list_policy()in the
 >> python-congressclient
 >> which in turn calls the Congress API. Is this correct?
 >>
 >> Any ideas why with v3 auth, the python-congressclient cannot authorize
 >> the
 >> call to the API?
 >>
 >> I looked at other horizon plugin models (ceilometer, neutron, nova,
 >> cerberus, cloudkitty, trove, designate, manila) to see how they
 >> created
 >> the client. While the code to create a client is not identical,
 >> it is vastly different from the code to create a client
 >>

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-22 Thread Aimee Ukasick 
Thanks Anusha! I will retest this today. I guess I need to learn more
about Horizon as well - thanks for pointing me in the right direction.

aimee



On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni  wrote:
> Hi Aimee,
>
> I think devstack by default configured horizon to use v3 .
> For V2 authentication, from the logs , auth_url doesn't seem to be set
> explicitly to v2 auth_url .
>
> I have always set explicit v2 auth which worked fine.
> For eg:- auth_url = 'http://:5000/v2.0' , for V2 authentication
>
> I have raised a patch, to take the auth_url from horizon settings instead of
> from request.
> https://review.openstack.org/#/c/345828/1
>
> Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
> in /openstack_dashboard/local/local_settings.py and restart apache2
> server . Then v2 authentication should go through fine.
>
> For v3 , need to add relevant code for v3 authentication in contrib/horizon
> as presently it is hardcoded to use only v2. but yes, the code from plugin
> model patch is still a WIP , so doesn't work for v3 authentication I guess
> I'll have a look at it and let you know .
>
>
> Best Regards,
> Anusha
>
> On 21 July 2016 at 21:56, Tim Hinrichs  wrote:
>>
>> So clearly an authentication problem then.
>>
>> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
>> Keystone authentication most recently, so she's your best bet.)
>>
>> Tim
>>
>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick
>>  wrote:
>>>
>>> The  Policy/Data Sources web page throws the same errors. I am
>>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>>
>>> aimee
>>>
>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
>>> > Hi Aimee,
>>> >
>>> > Do the other APIs work?  That is, is it a general problem
>>> > authenticating, or
>>> > is the problem limited to list_policies?
>>> >
>>> > Tim
>>> >
>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick
>>> > 
>>> > wrote:
>>> >>
>>> >> Hi all,
>>> >>
>>> >> I've been working on Policy UI (Horizon): Unable to get policies
>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>>> >> for the past 3 days. Anusha is correct - it's an authentication
>>> >> problem, but I have not been able to fix it.
>>> >>
>>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>>> >> added try/catch blocks, logging statements (with error because I
>>> >> haven't figured out how to set the horizon log level).
>>> >>
>>> >>
>>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>>> >>
>>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>>> >> The failure happens trying to call
>>> >> congressclient.v1.client.Client.list_policies().
>>> >> When using v2 auth, the error message is "Unable to get policies list:
>>> >> The resource could not be found"
>>> >> When using v3 auth, the error message is "Cannot authorize API client"
>>> >>
>>> >> I am assuming that congressclient.v1.client.Client is
>>> >>
>>> >>
>>> >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>>> >> and that client.list_policy() calls list_policy()in the
>>> >> python-congressclient
>>> >> which in turn calls the Congress API. Is this correct?
>>> >>
>>> >> Any ideas why with v3 auth, the python-congressclient cannot authorize
>>> >> the
>>> >> call to the API?
>>> >>
>>> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they
>>> >> created
>>> >> the client. While the code to create a client is not identical,
>>> >> it is vastly different from the code to create a client
>>> >> in contrib/horizon/congress.py.
>>> >>
>>> >> Thanks in advance for any pointers.
>>> >>
>>> >> aimee
>>> >>
>>> >> Aimee Ukasick (aimeeu)
>>> >>
>>> >> v2 log:
>>> >> 2016-07-20 22:13:56.501455
>>> >> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
>>> >> congress.policies_list(self.request) *
>>> >> 2016-07-20 22:14:30.238318 * self.request.path=
>>> >> /dashboard/admin/policies/
>>> >> 2016-07-20 22:14:30.238352 * congress.policies_list(request)
>>> >> BEGIN*
>>> >> 2016-07-20 22:14:30.238376 * calling client =
>>> >> congressclient(request)*
>>> >> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
>>> >> 2016-07-20 22:14:30.238454 * auth_url=
>>> >> http://192.168.56.103/identity
>>> >> 2016-07-20 22:14:30.238479 * calling get_keystone_session *
>>> >> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
>>> >> auth_url *http://192.168.56.103/identity
>>> >> 2016-07-20 22:14:30.238554 * path= /identity
>>> >> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
>>> >> 2016-07-20

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-22 Thread Anusha Ramineni 
Hi Aimee,

I think devstack by default configured horizon to use v3 .
For V2 authentication, from the logs , auth_url doesn't seem to be set
explicitly to v2 auth_url .

I have always set explicit v2 auth which worked fine.
For eg:- auth_url = 'http://:5000/v2.0' , for V2 authentication

I have raised a patch, to take the auth_url from horizon settings instead
of from request.
https://review.openstack.org/#/c/345828/1

Please set explict v2 auth_url as mentioned above in OPENSTACK_KESYTONE_URL
 in /openstack_dashboard/local/local_settings.py and restart
apache2 server . Then v2 authentication should go through fine.

For v3 , need to add relevant code for v3 authentication in contrib/horizon
as presently it is hardcoded to use only v2. but yes, the code from plugin
model patch is still a WIP , so doesn't work for v3 authentication I guess
I'll have a look at it and let you know .


Best Regards,
Anusha

On 21 July 2016 at 21:56, Tim Hinrichs  wrote:

> So clearly an authentication problem then.
>
> Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
> Keystone authentication most recently, so she's your best bet.)
>
> Tim
>
> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick 
> wrote:
>
>> The  Policy/Data Sources web page throws the same errors. I am
>> planning to recheck direct API calls using v3 auth today or tomorrow.
>>
>> aimee
>>
>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
>> > Hi Aimee,
>> >
>> > Do the other APIs work?  That is, is it a general problem
>> authenticating, or
>> > is the problem limited to list_policies?
>> >
>> > Tim
>> >
>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick <
>> aimeeu.opensou...@gmail.com>
>> > wrote:
>> >>
>> >> Hi all,
>> >>
>> >> I've been working on Policy UI (Horizon): Unable to get policies
>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>> >> for the past 3 days. Anusha is correct - it's an authentication
>> >> problem, but I have not been able to fix it.
>> >>
>> >> I grabbed the relevant code in congress.py from Anusha's horizon
>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>> >> added try/catch blocks, logging statements (with error because I
>> >> haven't figured out how to set the horizon log level).
>> >>
>> >>
>> >> I am testing the code on devstack, which I cloned on 19 July 2016.
>> >>
>> >> With both v2 and v3 auth, congressclient.v1.client is created.
>> >> The failure happens trying to call
>> >> congressclient.v1.client.Client.list_policies().
>> >> When using v2 auth, the error message is "Unable to get policies list:
>> >> The resource could not be found"
>> >> When using v3 auth, the error message is "Cannot authorize API client"
>> >>
>> >> I am assuming that congressclient.v1.client.Client is
>> >>
>> >>
>> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>> >> and that client.list_policy() calls list_policy()in the
>> >> python-congressclient
>> >> which in turn calls the Congress API. Is this correct?
>> >>
>> >> Any ideas why with v3 auth, the python-congressclient cannot authorize
>> the
>> >> call to the API?
>> >>
>> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
>> >> cerberus, cloudkitty, trove, designate, manila) to see how they created
>> >> the client. While the code to create a client is not identical,
>> >> it is vastly different from the code to create a client
>> >> in contrib/horizon/congress.py.
>> >>
>> >> Thanks in advance for any pointers.
>> >>
>> >> aimee
>> >>
>> >> Aimee Ukasick (aimeeu)
>> >>
>> >> v2 log:
>> >> 2016-07-20 22:13:56.501455
>> >> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
>> >> congress.policies_list(self.request) *
>> >> 2016-07-20 22:14:30.238318 * self.request.path=
>> >> /dashboard/admin/policies/
>> >> 2016-07-20 22:14:30.238352 * congress.policies_list(request)
>> >> BEGIN*
>> >> 2016-07-20 22:14:30.238376 * calling client =
>> >> congressclient(request)*
>> >> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
>> >> 2016-07-20 22:14:30.238454 * auth_url=
>> http://192.168.56.103/identity
>> >> 2016-07-20 22:14:30.238479 * calling get_keystone_session *
>> >> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
>> >> auth_url *http://192.168.56.103/identity
>> >> 2016-07-20 22:14:30.238554 * path= /identity
>> >> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
>> >> 2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
>> >> 2016-07-20 22:14:30.238656 None
>> >> 2016-07-20 22:14:30.238677 * finished using V2 plugin to
>> >> authenticate*
>> >> 2016-07-20 22:14:30.238698 * creating session with auth *
>> >> 2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
>> >> 2016-07-20 22:14:30.244462 * regtion_name= RegionOne
>> >>

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-21 Thread Tim Hinrichs 
So clearly an authentication problem then.

Anusha, do you have any ideas?  (Aimee, I think Anusha has worked with
Keystone authentication most recently, so she's your best bet.)

Tim

On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick 
wrote:

> The  Policy/Data Sources web page throws the same errors. I am
> planning to recheck direct API calls using v3 auth today or tomorrow.
>
> aimee
>
> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
> > Hi Aimee,
> >
> > Do the other APIs work?  That is, is it a general problem
> authenticating, or
> > is the problem limited to list_policies?
> >
> > Tim
> >
> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick <
> aimeeu.opensou...@gmail.com>
> > wrote:
> >>
> >> Hi all,
> >>
> >> I've been working on Policy UI (Horizon): Unable to get policies
> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
> >> for the past 3 days. Anusha is correct - it's an authentication
> >> problem, but I have not been able to fix it.
> >>
> >> I grabbed the relevant code in congress.py from Anusha's horizon
> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
> >> added try/catch blocks, logging statements (with error because I
> >> haven't figured out how to set the horizon log level).
> >>
> >>
> >> I am testing the code on devstack, which I cloned on 19 July 2016.
> >>
> >> With both v2 and v3 auth, congressclient.v1.client is created.
> >> The failure happens trying to call
> >> congressclient.v1.client.Client.list_policies().
> >> When using v2 auth, the error message is "Unable to get policies list:
> >> The resource could not be found"
> >> When using v3 auth, the error message is "Cannot authorize API client"
> >>
> >> I am assuming that congressclient.v1.client.Client is
> >>
> >>
> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
> >> and that client.list_policy() calls list_policy()in the
> >> python-congressclient
> >> which in turn calls the Congress API. Is this correct?
> >>
> >> Any ideas why with v3 auth, the python-congressclient cannot authorize
> the
> >> call to the API?
> >>
> >> I looked at other horizon plugin models (ceilometer, neutron, nova,
> >> cerberus, cloudkitty, trove, designate, manila) to see how they created
> >> the client. While the code to create a client is not identical,
> >> it is vastly different from the code to create a client
> >> in contrib/horizon/congress.py.
> >>
> >> Thanks in advance for any pointers.
> >>
> >> aimee
> >>
> >> Aimee Ukasick (aimeeu)
> >>
> >> v2 log:
> >> 2016-07-20 22:13:56.501455
> >> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
> >> congress.policies_list(self.request) *
> >> 2016-07-20 22:14:30.238318 * self.request.path=
> >> /dashboard/admin/policies/
> >> 2016-07-20 22:14:30.238352 * congress.policies_list(request)
> >> BEGIN*
> >> 2016-07-20 22:14:30.238376 * calling client =
> >> congressclient(request)*
> >> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
> >> 2016-07-20 22:14:30.238454 * auth_url=
> http://192.168.56.103/identity
> >> 2016-07-20 22:14:30.238479 * calling get_keystone_session *
> >> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
> >> auth_url *http://192.168.56.103/identity
> >> 2016-07-20 22:14:30.238554 * path= /identity
> >> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
> >> 2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
> >> 2016-07-20 22:14:30.238656 None
> >> 2016-07-20 22:14:30.238677 * finished using V2 plugin to
> >> authenticate*
> >> 2016-07-20 22:14:30.238698 * creating session with auth *
> >> 2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
> >> 2016-07-20 22:14:30.244462 * regtion_name= RegionOne
> >> 2016-07-20 22:14:30.244491 * calling
> congress_client.Client(**kwargs)
> >> 2016-07-20 22:14:30.247830 * congress.congressclient END*
> >> 2016-07-20 22:14:30.247902 * calling policies_list =
> >> client.list_policy()*
> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
> >> authentication request to http://192.168.56.103/identity/tokens
> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
> >> failure status: 404
> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The resource
> >> could not be found.
> >>
> >>
> >> v3 log:
> >> 2016-07-20 22:09:22.912969
> >> 2016-07-20 22:09:31.907119 * view.get_data calling policies =
> >> congress.policies_list(self.request) *
> >> 2016-07-20 22:09:31.907973 * self.request.path=
> >> /dashboard/admin/policies/
> >> 2016-07-20 22:09:31.908122 * congress.policies_list(request)
> >> BEGIN*
> >> 2016-07-20 22:09:31.908250 * calling client =
> >> congressclient(request)*
> >> 2016-07-20 22:09:31.908386 * congress.congressclient BEGIN*
>

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-21 Thread Aimee Ukasick 
The  Policy/Data Sources web page throws the same errors. I am
planning to recheck direct API calls using v3 auth today or tomorrow.

aimee

On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs  wrote:
> Hi Aimee,
>
> Do the other APIs work?  That is, is it a general problem authenticating, or
> is the problem limited to list_policies?
>
> Tim
>
> On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick 
> wrote:
>>
>> Hi all,
>>
>> I've been working on Policy UI (Horizon): Unable to get policies
>> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
>> for the past 3 days. Anusha is correct - it's an authentication
>> problem, but I have not been able to fix it.
>>
>> I grabbed the relevant code in congress.py from Anusha's horizon
>> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
>> added try/catch blocks, logging statements (with error because I
>> haven't figured out how to set the horizon log level).
>>
>>
>> I am testing the code on devstack, which I cloned on 19 July 2016.
>>
>> With both v2 and v3 auth, congressclient.v1.client is created.
>> The failure happens trying to call
>> congressclient.v1.client.Client.list_policies().
>> When using v2 auth, the error message is "Unable to get policies list:
>> The resource could not be found"
>> When using v3 auth, the error message is "Cannot authorize API client"
>>
>> I am assuming that congressclient.v1.client.Client is
>>
>> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
>> and that client.list_policy() calls list_policy()in the
>> python-congressclient
>> which in turn calls the Congress API. Is this correct?
>>
>> Any ideas why with v3 auth, the python-congressclient cannot authorize the
>> call to the API?
>>
>> I looked at other horizon plugin models (ceilometer, neutron, nova,
>> cerberus, cloudkitty, trove, designate, manila) to see how they created
>> the client. While the code to create a client is not identical,
>> it is vastly different from the code to create a client
>> in contrib/horizon/congress.py.
>>
>> Thanks in advance for any pointers.
>>
>> aimee
>>
>> Aimee Ukasick (aimeeu)
>>
>> v2 log:
>> 2016-07-20 22:13:56.501455
>> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
>> congress.policies_list(self.request) *
>> 2016-07-20 22:14:30.238318 * self.request.path=
>> /dashboard/admin/policies/
>> 2016-07-20 22:14:30.238352 * congress.policies_list(request)
>> BEGIN*
>> 2016-07-20 22:14:30.238376 * calling client =
>> congressclient(request)*
>> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
>> 2016-07-20 22:14:30.238454 * auth_url= http://192.168.56.103/identity
>> 2016-07-20 22:14:30.238479 * calling get_keystone_session *
>> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
>> auth_url *http://192.168.56.103/identity
>> 2016-07-20 22:14:30.238554 * path= /identity
>> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
>> 2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
>> 2016-07-20 22:14:30.238656 None
>> 2016-07-20 22:14:30.238677 * finished using V2 plugin to
>> authenticate*
>> 2016-07-20 22:14:30.238698 * creating session with auth *
>> 2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
>> 2016-07-20 22:14:30.244462 * regtion_name= RegionOne
>> 2016-07-20 22:14:30.244491 * calling congress_client.Client(**kwargs)
>> 2016-07-20 22:14:30.247830 * congress.congressclient END*
>> 2016-07-20 22:14:30.247902 * calling policies_list =
>> client.list_policy()*
>> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
>> authentication request to http://192.168.56.103/identity/tokens
>> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
>> failure status: 404
>> 2016-07-20 22:14:30.257546 Unable to get policies list: The resource
>> could not be found.
>>
>>
>> v3 log:
>> 2016-07-20 22:09:22.912969
>> 2016-07-20 22:09:31.907119 * view.get_data calling policies =
>> congress.policies_list(self.request) *
>> 2016-07-20 22:09:31.907973 * self.request.path=
>> /dashboard/admin/policies/
>> 2016-07-20 22:09:31.908122 * congress.policies_list(request)
>> BEGIN*
>> 2016-07-20 22:09:31.908250 * calling client =
>> congressclient(request)*
>> 2016-07-20 22:09:31.908386 * congress.congressclient BEGIN*
>> 2016-07-20 22:09:31.909034 * auth_url= http://192.168.56.103/identity
>> 2016-07-20 22:09:31.909217 * calling get_keystone_session *
>> 2016-07-20 22:09:31.909356 * congress.get_keystone_session BEGIN
>> auth_url *http://192.168.56.103/identity
>> 2016-07-20 22:09:31.909527 * path= /identity
>> 2016-07-20 22:09:31.909795 * using V3 plugin to authenticate*
>> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
>> 2016-07-20 22:09:31.910175

Re: [openstack-dev] [Congress] Congress horizon plugin - congressclient/congress API auth issue - help

2016-07-21 Thread Tim Hinrichs 
Hi Aimee,

Do the other APIs work?  That is, is it a general problem authenticating,
or is the problem limited to list_policies?

Tim

On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick 
wrote:

> Hi all,
>
> I've been working on Policy UI (Horizon): Unable to get policies
> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837)
> for the past 3 days. Anusha is correct - it's an authentication
> problem, but I have not been able to fix it.
>
> I grabbed the relevant code in congress.py from Anusha's horizon
> plugin model patchset (https://review.openstack.org/#/c/305063/3) and
> added try/catch blocks, logging statements (with error because I
> haven't figured out how to set the horizon log level).
>
>
> I am testing the code on devstack, which I cloned on 19 July 2016.
>
> With both v2 and v3 auth, congressclient.v1.client is created.
> The failure happens trying to call
> congressclient.v1.client.Client.list_policies().
> When using v2 auth, the error message is "Unable to get policies list:
> The resource could not be found"
> When using v3 auth, the error message is "Cannot authorize API client"
>
> I am assuming that congressclient.v1.client.Client is
>
> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py
> and that client.list_policy() calls list_policy()in the
> python-congressclient
> which in turn calls the Congress API. Is this correct?
>
> Any ideas why with v3 auth, the python-congressclient cannot authorize the
> call to the API?
>
> I looked at other horizon plugin models (ceilometer, neutron, nova,
> cerberus, cloudkitty, trove, designate, manila) to see how they created
> the client. While the code to create a client is not identical,
> it is vastly different from the code to create a client
> in contrib/horizon/congress.py.
>
> Thanks in advance for any pointers.
>
> aimee
>
> Aimee Ukasick (aimeeu)
>
> v2 log:
> 2016-07-20 22:13:56.501455
> 2016-07-20 22:14:30.238233 * view.get_data calling policies =
> congress.policies_list(self.request) *
> 2016-07-20 22:14:30.238318 * self.request.path=
> /dashboard/admin/policies/
> 2016-07-20 22:14:30.238352 * congress.policies_list(request) BEGIN*
> 2016-07-20 22:14:30.238376 * calling client =
> congressclient(request)*
> 2016-07-20 22:14:30.238399 * congress.congressclient BEGIN*
> 2016-07-20 22:14:30.238454 * auth_url= http://192.168.56.103/identity
> 2016-07-20  22:14:30.238479
> * calling get_keystone_session *
> 2016-07-20 22:14:30.238505 * congress.get_keystone_session BEGIN
> auth_url *http://192.168.56.103/identity
> 2016-07-20 22:14:30.238554 * path= /identity
> 2016-07-20 22:14:30.238578 * using V2 plugin to authenticate*
> 2016-07-20 22:14:30.238630 * v2 auth.get_auth_state=
> 2016-07-20 22:14:30.238656 None
> 2016-07-20 22:14:30.238677 * finished using V2 plugin to
> authenticate*
> 2016-07-20 22:14:30.238698 * creating session with auth *
> 2016-07-20 22:14:30.244407 * congress.get_keystone_session END*
> 2016-07-20 22:14:30.244462 * regtion_name= RegionOne
> 2016-07-20 22:14:30.244491 * calling congress_client.Client(**kwargs)
> 2016-07-20 22:14:30.247830 * congress.congressclient END*
> 2016-07-20 22:14:30.247902 * calling policies_list =
> client.list_policy()*
> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making
> authentication request to http://192.168.56.103/identity/tokens
> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request returned
> failure status: 404
> 2016-07-20 22:14:30.257546 Unable to get policies list: The resource
> could not be found.
>
>
> v3 log:
> 2016-07-20 22:09:22.912969
> 2016-07-20 22:09:31.907119 * view.get_data calling policies =
> congress.policies_list(self.request) *
> 2016-07-20 22:09:31.907973 * self.request.path=
> /dashboard/admin/policies/
> 2016-07-20 22:09:31.908122 * congress.policies_list(request) BEGIN*
> 2016-07-20 22:09:31.908250 * calling client =
> congressclient(request)*
> 2016-07-20 22:09:31.908386 * congress.congressclient BEGIN*
> 2016-07-20 22:09:31.909034 * auth_url= http://192.168.56.103/identity
> 2016-07-20  22:09:31.909217
> * calling get_keystone_session *
> 2016-07-20 22:09:31.909356 * congress.get_keystone_session BEGIN
> auth_url *http://192.168.56.103/identity
> 2016-07-20 22:09:31.909527 * path= /identity
> 2016-07-20 22:09:31.909795 * using V3 plugin to authenticate*
> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity
> 2016-07-20  22:09:31.910175
> token=d46339f2d0b5455db54909d6ed95a9cc
> 2016-07-20 22:09:31.910301 project_name=alt_demo
> 2016-07-20 22:09:31.910426 domain_name=Default
> 2016-07-20 22:09:31.910676 project_domain_name=default
>