Re: [openstack-dev] [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for horizon
Hello,
Does user_id replaced in cloud_admin rule is id of cloud_admin user ?
I don't think you can log in with cloud_admin user in horizon, it seems that
without project created for an user, you can't log in
in horizon.
I'm also interested in this, I also followed the mentioned article, but when I
try to login with admin user in default domain,
I have the same error (not authorized to list_projects). Both with horizon and
Rest API.
De : Lei Zhang [mailto:zhang.lei@gmail.com]
Envoyé : jeudi 12 mars 2015 03:33
À : openstack; OpenStack Development Mailing List
Objet : [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for
horizon
is there anyone tryed this and successfully?
On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang zhang.lei@gmail.com wrote:
Hi guys,
I am setting up the keytone v3 api. Now I meet a issue about the `cloud_admin`
policy.
Base on the http://www.florentflament.com/blog/setting-keystone-v3-domains.html
article, I modify the cloud_admin policy to
```
cloud_admin: rule:admin_required and
domain_id:ef0d30167f744401a0cbfcc938ea7d63,
```
But the cloud_admin don't work as expected. I failed to open all the identity
panel ( like http://host/horizon/identity/domains/)
Horizon tell me Error: Unable to retrieve project list.
And keystone log warning:
```
2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] enforce
identity:list_user_projects: {'is_delegated_auth': False, 'access_token_id':
None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', 'roles': [u'_member_',
u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None,
'token': KeystoneToken (audit_id=DWsSa6yYSWi0ht9E7q4uhw,
audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at 0x7f4503fab3c8, 'project_id':
u'4d170baaa89b4e46b239249eb5ec6b00', 'trust_id': None}, enforce
/usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100
2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not
authorized to perform the requested action: identity:list_projects (Disable
debug mode to suppress these details.)
```
I make some debug and found that, the root cause is that the `context`
variable in keystone has no `domain_id` field( like the above keystone log). So
the `cloud_admin` rule failed. if i change the `cloud_admin` to following. It
works as expected.
```
cloud_admin: rule:admin_required and
user_id:6433222efd78459bb70ad9adbcfac418,
```
I found that in the keystone code[0], the domain_id only exist when it is a
domain scope. But i believe that the horizon login token is a project one( I am
not very sure this)
```
if token.project_scoped:
auth_context['project_id'] = token.project_id
elif token.domain_scoped:
auth_context['domain_id'] = token.domain_id
else:
LOG.debug('RBAC: Proceeding without project or domain scope')
```
Is it a bug? or some wrong configuration?
Following is my configuration.
```
# /etc/keystone/keystone.conf
[DEFAULT]
debug=true
verbose=true
log_dir=/var/log/keystone
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[database]
connection=mysql://:@controller/keystone
[identity]
driver=keystone.identity.backends.sql.Identity
[memcache]
servers=controller1:11211,controller2:11211,controller3:1121
[token]
provider=keystone.token.providers.uuid.Provider
```
```
# /etc/openstack-dashboard/local_settings.py ( partly )
POLICY_FILES_PATH = /etc/openstack-dashboard/
POLICY_FILES = {
'identity': 'keystone_policy.json',
}
OPENSTACK_HOST = 127.0.0.1
OPENSTACK_KEYSTONE_URL = http://%s:5000/v3; % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = _member_
OPENSTACK_API_VERSIONS = {
data_processing: 1.1,
identity: 3,
volume: 2
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin'
```
[0]
https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58
--
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
--
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api for horizon
I created project for the user admin(6433222efd78459bb70ad9adbcfac418).
The token horizon is past is a project scope token. So it can not passed
the cloud_admin rule.
I changed the rule to the admin_id is a little trick, and it works.
On Thu, Mar 12, 2015 at 5:16 PM, Trelohan Christophe
ctrelo...@voyages-sncf.com wrote:
Hello,
Does user_id replaced in cloud_admin rule is id of cloud_admin user ?
I don't think you can log in with cloud_admin user in horizon, it seems
that without project created for an user, you can't log in
in horizon.
I'm also interested in this, I also followed the mentioned article, but
when I try to login with admin user in default domain,
I have the same error (not authorized to list_projects). Both with horizon
and Rest API.
De : Lei Zhang [mailto:zhang.lei@gmail.com]
Envoyé : jeudi 12 mars 2015 03:33
À : openstack; OpenStack Development Mailing List
Objet : [Openstack] [Horizon][Keystone] Failed to set up keystone v3 api
for horizon
is there anyone tryed this and successfully?
On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang zhang.lei@gmail.com wrote:
Hi guys,
I am setting up the keytone v3 api. Now I meet a issue about the
`cloud_admin` policy.
Base on the
http://www.florentflament.com/blog/setting-keystone-v3-domains.html
article, I modify the cloud_admin policy to
```
cloud_admin: rule:admin_required and
domain_id:ef0d30167f744401a0cbfcc938ea7d63,
```
But the cloud_admin don't work as expected. I failed to open all the
identity panel ( like http://host/horizon/identity/domains/)
Horizon tell me Error: Unable to retrieve project list.
And keystone log warning:
```
2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-]
enforce identity:list_user_projects: {'is_delegated_auth': False,
'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418',
'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None,
'consumer_id': None, 'token': KeystoneToken
(audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at
0x7f4503fab3c8, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00',
'trust_id': None}, enforce
/usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100
2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not
authorized to perform the requested action: identity:list_projects (Disable
debug mode to suppress these details.)
```
I make some debug and found that, the root cause is that the `context`
variable in keystone has no `domain_id` field( like the above keystone
log). So the `cloud_admin` rule failed. if i change the `cloud_admin` to
following. It works as expected.
```
cloud_admin: rule:admin_required and
user_id:6433222efd78459bb70ad9adbcfac418,
```
I found that in the keystone code[0], the domain_id only exist when it is
a domain scope. But i believe that the horizon login token is a project
one( I am not very sure this)
```
if token.project_scoped:
auth_context['project_id'] = token.project_id
elif token.domain_scoped:
auth_context['domain_id'] = token.domain_id
else:
LOG.debug('RBAC: Proceeding without project or domain scope')
```
Is it a bug? or some wrong configuration?
Following is my configuration.
```
# /etc/keystone/keystone.conf
[DEFAULT]
debug=true
verbose=true
log_dir=/var/log/keystone
[assignment]
driver = keystone.assignment.backends.sql.Assignment
[database]
connection=mysql://:@controller/keystone
[identity]
driver=keystone.identity.backends.sql.Identity
[memcache]
servers=controller1:11211,controller2:11211,controller3:1121
[token]
provider=keystone.token.providers.uuid.Provider
```
```
# /etc/openstack-dashboard/local_settings.py ( partly )
POLICY_FILES_PATH = /etc/openstack-dashboard/
POLICY_FILES = {
'identity': 'keystone_policy.json',
}
OPENSTACK_HOST = 127.0.0.1
OPENSTACK_KEYSTONE_URL = http://%s:5000/v3; % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = _member_
OPENSTACK_API_VERSIONS = {
data_processing: 1.1,
identity: 3,
volume: 2
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin'
```
[0]
https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58
--
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
--
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
--
Lei Zhang
Blog: http://xcodest.me
twitter/weibo: @jeffrey4l
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
