Horizon throws unauthorized 403 error for cloud admin in domain setup

Bug #1414252 reported by Sumanth
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Expired
Undecided
Unassigned

Bug Description

I have a devstack running following components
1.keystone
2.heat
3.nova
4.horizon
5.cinder

For this open stack setup I wanted to enable domain feature, define admin boundaries. To enable the domains, these changes were made :
1. Changed the token format from PKI to UUID
2. added auth_version = v3.0 under [auth_token:fillter] section of all the api-paste.ini file of all the services
3. updated the endpoints to point to v3
4. restarted all the services
5. Changed the default keystone policy.json with policy.v3sample.json and set the admin_domain_id to default

I horizons local_settings.py file
1. set the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT to True
2. updated the enpoint to point to localhost:5000/v3

after all these changes when I try to login into the default domain with admin credentials , i get ubale retirve domain list , unable retrive project list errors horizons dashboard.

Changed in keystone:
status: New → Confirmed
status: Confirmed → New
Changed in keystone:
status: New → Confirmed
Changed in keystone:
status: Confirmed → New
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

 have to you set the OPENSTACK_API_VERSIONS in the horizon setting to v3?

OPENSTACK_API_VERSIONS = {
   "identity": 3,
}

Also, can you add the horizon and keystone logs?

Changed in keystone:
status: New → Incomplete
Revision history for this message
Damien BRIENS (dbriens) wrote :

I have the same problem...

in /opt/stack/horizon/openstack_dashboard/local/local_settings.py I have:

OPENSTACK_API_VERSIONS = {
    "identity": 3,
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
OPENSTACK_KEYSTONE_URL="http://10.0.2.15:5000/v3"

and the keystone log:
2015-06-01 17:20:28.478815 23842 DEBUG keystone.middleware.core [-] RBAC: auth_context: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'2c622ed8fd214d1eb93f7c1f32a8a297', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=N_npq13XRkqrSeRsfWIklw, audit_chain_id=Nre272pGR2OZMDeM32zGYg) at 0x7fa05223ce30>, 'project_id': u'9f76327906024506b2dc60645831fd2e', 'trust_id': None} process_request /opt/stack/keystone/keystone/middleware/core.py:240
2015-06-01 17:20:28.481652 23842 INFO keystone.common.wsgi [-] GET /domains
2015-06-01 17:20:28.481899 23842 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:list_domains() _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:57
2015-06-01 17:20:28.482039 23842 DEBUG keystone.common.controller [-] RBAC: using auth context from the request environment _build_policy_check_credentials /opt/stack/keystone/keystone/common/controller.py:62
2015-06-01 17:20:28.482264 23842 DEBUG keystone.common.controller [-] RBAC: Adding query filter params () wrapper /opt/stack/keystone/keystone/common/controller.py:189
2015-06-01 17:20:28.482476 23842 DEBUG keystone.policy.backends.rules [-] enforce identity:list_domains: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'2c622ed8fd214d1eb93f7c1f32a8a297', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=N_npq13XRkqrSeRsfWIklw, audit_chain_id=Nre272pGR2OZMDeM32zGYg) at 0x7fa05223ce30>, 'project_id': u'9f76327906024506b2dc60645831fd2e', 'trust_id': None} enforce /opt/stack/keystone/keystone/policy/backends/rules.py:76
2015-06-01 17:20:28.483649 23842 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_domains (Disable debug mode to suppress these details.)
9f76327906024506b2dc60645831fd2e2015-06-01 17:21:35.424607 23838 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /opt/stack/keystone/keystone/middleware/core.py:240

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.