subject:"Re\: \[openstack\-dev\] \[horizon\] \[keystone\] \[federated auth\] \[ocata\] federated users with \"admin\" role not authorized for nova, cinder, neutron admin panels"

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

2017-03-21 Thread Boris Bobrov

Hi,

Oh wow, for some reason my message was not sent to the list.

On 03/20/2017 09:03 PM, Evan Bollig PhD wrote:
> Hey Boris,
> 
> Any updates on this?
> 
> Cheers,
> -E
> --
> Evan F. Bollig, PhD
> Scientific Computing Consultant, Application Developer | Scientific
> Computing Solutions (SCS)
> Minnesota Supercomputing Institute | msi.umn.edu
> University of Minnesota | umn.edu
> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
> 
> 
> On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhD  wrote:
>> Hey Boris,
>>
>> Which mapping? Hope you were looking for the shibboleth user
>> mapping. Also, hope this is the right way to share the paste (first
>> time using this):
>> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/

This is probably part of bug
https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure
though. Could you please file new bugreport?

As for now, you could try doing auto-provisioning using new capabilities
from Ocata:
https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning

>> Cheers,
>> -E
>> --
>> Evan F. Bollig, PhD
>> Scientific Computing Consultant, Application Developer | Scientific
>> Computing Solutions (SCS)
>> Minnesota Supercomputing Institute | msi.umn.edu
>> University of Minnesota | umn.edu
>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
>>
>>
>> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov  wrote:
>>> Hi,
>>>
>>> Please paste your mapping to paste.openstack.org
>>>
>>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
 I am on Ocata with Shibboleth auth enabled. I noticed that Federated
 users with the admin role no longer have authorization to use the
 Admin** panels in Horizon related to Nova, Cinder and Neutron. All
 regular Identity and Project tabs function, and there are no problems
 with authorization for local admin users.

 -
 These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
 Defaults, Metadata, System Information

 These result in logout: Instances, Volumes, Networks, Routers, Floating IPs

 This is not present: Overview
 -

 The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
 openstack-dashboard-11.0.0-1.el7.noarch
 python-django-horizon-11.0.0-1.el7.noarch
 python2-keystonemiddleware-4.14.0-1.el7.noarch
 python2-keystoneclient-3.10.0-1.el7.noarch
 openstack-keystone-11.0.0-1.el7.noarch
 python2-keystoneauth1-2.18.0-1.el7.noarch
 python-keystone-11.0.0-1.el7.noarch

 The errors I see in logs are similar to:

 ==> /var/log/horizon/horizon.log <==
 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
 Traceback (most recent call last):
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
 line 53, in get_tenant_list
 tenants, has_more = api.keystone.tenant_list(request)
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 351, in tenant_list
 manager = VERSIONS.get_project_manager(request, admin=admin)
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 61, in get_project_manager
 manager = keystoneclient(*args, **kwargs).projects
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 170, in keystoneclient
 raise exceptions.NotAuthorized
 NotAuthorized

 Cheers,
 -E
 --
 Evan F. Bollig, PhD
 Scientific Computing Consultant, Application Developer | Scientific
 Computing Solutions (SCS)
 Minnesota Supercomputing Institute | msi.umn.edu
 University of Minnesota | umn.edu
 boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556

 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

>>>
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

2017-03-21 Thread Boris Bobrov

Hi,

Oh wow, for some reason my message was not sent to the list.

On 03/20/2017 09:03 PM, Evan Bollig PhD wrote:
> Hey Boris,
> 
> Any updates on this?
> 
> Cheers,
> -E
> --
> Evan F. Bollig, PhD
> Scientific Computing Consultant, Application Developer | Scientific
> Computing Solutions (SCS)
> Minnesota Supercomputing Institute | msi.umn.edu
> University of Minnesota | umn.edu
> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
> 
> 
> On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhD  wrote:
>> Hey Boris,
>>
>> Which mapping? Hope you were looking for the shibboleth user
>> mapping. Also, hope this is the right way to share the paste (first
>> time using this):
>> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/

This is probably part of bug
https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure
though. Could you please file new bugreport?

As for now, you could try doing auto-provisioning using new capabilities
from Ocata:
https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning

>> Cheers,
>> -E
>> --
>> Evan F. Bollig, PhD
>> Scientific Computing Consultant, Application Developer | Scientific
>> Computing Solutions (SCS)
>> Minnesota Supercomputing Institute | msi.umn.edu
>> University of Minnesota | umn.edu
>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
>>
>>
>> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov  wrote:
>>> Hi,
>>>
>>> Please paste your mapping to paste.openstack.org
>>>
>>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
 I am on Ocata with Shibboleth auth enabled. I noticed that Federated
 users with the admin role no longer have authorization to use the
 Admin** panels in Horizon related to Nova, Cinder and Neutron. All
 regular Identity and Project tabs function, and there are no problems
 with authorization for local admin users.

 -
 These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
 Defaults, Metadata, System Information

 These result in logout: Instances, Volumes, Networks, Routers, Floating IPs

 This is not present: Overview
 -

 The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
 openstack-dashboard-11.0.0-1.el7.noarch
 python-django-horizon-11.0.0-1.el7.noarch
 python2-keystonemiddleware-4.14.0-1.el7.noarch
 python2-keystoneclient-3.10.0-1.el7.noarch
 openstack-keystone-11.0.0-1.el7.noarch
 python2-keystoneauth1-2.18.0-1.el7.noarch
 python-keystone-11.0.0-1.el7.noarch

 The errors I see in logs are similar to:

 ==> /var/log/horizon/horizon.log <==
 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
 Traceback (most recent call last):
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
 line 53, in get_tenant_list
 tenants, has_more = api.keystone.tenant_list(request)
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 351, in tenant_list
 manager = VERSIONS.get_project_manager(request, admin=admin)
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 61, in get_project_manager
 manager = keystoneclient(*args, **kwargs).projects
   File 
 "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
 line 170, in keystoneclient
 raise exceptions.NotAuthorized
 NotAuthorized

 Cheers,
 -E
 --
 Evan F. Bollig, PhD
 Scientific Computing Consultant, Application Developer | Scientific
 Computing Solutions (SCS)
 Minnesota Supercomputing Institute | msi.umn.edu
 University of Minnesota | umn.edu
 boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556

 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

>>>
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

2017-03-20 Thread Evan Bollig PhD

Hey Boris,

Any updates on this?

Cheers,
-E
--
Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556


On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhD  wrote:
> Hey Boris,
>
> Which mapping? Hope you were looking for the shibboleth user
> mapping. Also, hope this is the right way to share the paste (first
> time using this):
> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/
>
> Cheers,
> -E
> --
> Evan F. Bollig, PhD
> Scientific Computing Consultant, Application Developer | Scientific
> Computing Solutions (SCS)
> Minnesota Supercomputing Institute | msi.umn.edu
> University of Minnesota | umn.edu
> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
>
>
> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov  wrote:
>> Hi,
>>
>> Please paste your mapping to paste.openstack.org
>>
>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
>>> I am on Ocata with Shibboleth auth enabled. I noticed that Federated
>>> users with the admin role no longer have authorization to use the
>>> Admin** panels in Horizon related to Nova, Cinder and Neutron. All
>>> regular Identity and Project tabs function, and there are no problems
>>> with authorization for local admin users.
>>>
>>> -
>>> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
>>> Defaults, Metadata, System Information
>>>
>>> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs
>>>
>>> This is not present: Overview
>>> -
>>>
>>> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
>>> openstack-dashboard-11.0.0-1.el7.noarch
>>> python-django-horizon-11.0.0-1.el7.noarch
>>> python2-keystonemiddleware-4.14.0-1.el7.noarch
>>> python2-keystoneclient-3.10.0-1.el7.noarch
>>> openstack-keystone-11.0.0-1.el7.noarch
>>> python2-keystoneauth1-2.18.0-1.el7.noarch
>>> python-keystone-11.0.0-1.el7.noarch
>>>
>>> The errors I see in logs are similar to:
>>>
>>> ==> /var/log/horizon/horizon.log <==
>>> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
>>> Traceback (most recent call last):
>>>   File 
>>> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
>>> line 53, in get_tenant_list
>>> tenants, has_more = api.keystone.tenant_list(request)
>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>> line 351, in tenant_list
>>> manager = VERSIONS.get_project_manager(request, admin=admin)
>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>> line 61, in get_project_manager
>>> manager = keystoneclient(*args, **kwargs).projects
>>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>>> line 170, in keystoneclient
>>> raise exceptions.NotAuthorized
>>> NotAuthorized
>>>
>>> Cheers,
>>> -E
>>> --
>>> Evan F. Bollig, PhD
>>> Scientific Computing Consultant, Application Developer | Scientific
>>> Computing Solutions (SCS)
>>> Minnesota Supercomputing Institute | msi.umn.edu
>>> University of Minnesota | umn.edu
>>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
>>>
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

2017-03-09 Thread Evan Bollig PhD

Hey Boris,

Which mapping? Hope you were looking for the shibboleth user
mapping. Also, hope this is the right way to share the paste (first
time using this):
http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/

Cheers,
-E
--
Evan F. Bollig, PhD
Scientific Computing Consultant, Application Developer | Scientific
Computing Solutions (SCS)
Minnesota Supercomputing Institute | msi.umn.edu
University of Minnesota | umn.edu
boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556


On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov  wrote:
> Hi,
>
> Please paste your mapping to paste.openstack.org
>
> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
>> I am on Ocata with Shibboleth auth enabled. I noticed that Federated
>> users with the admin role no longer have authorization to use the
>> Admin** panels in Horizon related to Nova, Cinder and Neutron. All
>> regular Identity and Project tabs function, and there are no problems
>> with authorization for local admin users.
>>
>> -
>> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
>> Defaults, Metadata, System Information
>>
>> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs
>>
>> This is not present: Overview
>> -
>>
>> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
>> openstack-dashboard-11.0.0-1.el7.noarch
>> python-django-horizon-11.0.0-1.el7.noarch
>> python2-keystonemiddleware-4.14.0-1.el7.noarch
>> python2-keystoneclient-3.10.0-1.el7.noarch
>> openstack-keystone-11.0.0-1.el7.noarch
>> python2-keystoneauth1-2.18.0-1.el7.noarch
>> python-keystone-11.0.0-1.el7.noarch
>>
>> The errors I see in logs are similar to:
>>
>> ==> /var/log/horizon/horizon.log <==
>> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
>> Traceback (most recent call last):
>>   File 
>> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
>> line 53, in get_tenant_list
>> tenants, has_more = api.keystone.tenant_list(request)
>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>> line 351, in tenant_list
>> manager = VERSIONS.get_project_manager(request, admin=admin)
>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>> line 61, in get_project_manager
>> manager = keystoneclient(*args, **kwargs).projects
>>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
>> line 170, in keystoneclient
>> raise exceptions.NotAuthorized
>> NotAuthorized
>>
>> Cheers,
>> -E
>> --
>> Evan F. Bollig, PhD
>> Scientific Computing Consultant, Application Developer | Scientific
>> Computing Solutions (SCS)
>> Minnesota Supercomputing Institute | msi.umn.edu
>> University of Minnesota | umn.edu
>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

2017-03-09 Thread Boris Bobrov

Hi,

Please paste your mapping to paste.openstack.org

On 03/09/2017 02:07 AM, Evan Bollig PhD wrote:
> I am on Ocata with Shibboleth auth enabled. I noticed that Federated
> users with the admin role no longer have authorization to use the
> Admin** panels in Horizon related to Nova, Cinder and Neutron. All
> regular Identity and Project tabs function, and there are no problems
> with authorization for local admin users.
> 
> -
> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images,
> Defaults, Metadata, System Information
> 
> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs
> 
> This is not present: Overview
> -
> 
> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs:
> openstack-dashboard-11.0.0-1.el7.noarch
> python-django-horizon-11.0.0-1.el7.noarch
> python2-keystonemiddleware-4.14.0-1.el7.noarch
> python2-keystoneclient-3.10.0-1.el7.noarch
> openstack-keystone-11.0.0-1.el7.noarch
> python2-keystoneauth1-2.18.0-1.el7.noarch
> python-keystone-11.0.0-1.el7.noarch
> 
> The errors I see in logs are similar to:
> 
> ==> /var/log/horizon/horizon.log <==
> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized:
> Traceback (most recent call last):
>   File 
> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py",
> line 53, in get_tenant_list
> tenants, has_more = api.keystone.tenant_list(request)
>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
> line 351, in tenant_list
> manager = VERSIONS.get_project_manager(request, admin=admin)
>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
> line 61, in get_project_manager
> manager = keystoneclient(*args, **kwargs).projects
>   File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py",
> line 170, in keystoneclient
> raise exceptions.NotAuthorized
> NotAuthorized
> 
> Cheers,
> -E
> --
> Evan F. Bollig, PhD
> Scientific Computing Consultant, Application Developer | Scientific
> Computing Solutions (SCS)
> Minnesota Supercomputing Institute | msi.umn.edu
> University of Minnesota | umn.edu
> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556
> 
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

Re: [openstack-dev] [horizon] [keystone] [federated auth] [ocata] federated users with "admin" role not authorized for nova, cinder, neutron admin panels

5 matches

Site Navigation

Mail list logo

Footer information