unretrieve project list when switching project

When running Horizon with keystone v3, the session backend must be switch from cookie-based to a database.

If cookie backend is used, this is one of the symptoms.

Can you try it again using a DB backend?

I have same issue :

2015-11-12 14:53:52,365 6922 ERROR openstack_auth.user Unable to retrieve project list.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstack_auth/user.py", line 315, in authorized_tenants
    is_federated=self.is_federated)
  File "/usr/lib/python2.7/site-packages/openstack_auth/utils.py", line 145, in wrapper
    result = func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/openstack_auth/utils.py", line 247, in get_project_list
    projects = client.tenants.list()
  File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/tenants.py", line 123, in list
    tenant_list = self._list('/tenants%s' % query, 'tenants')
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 113, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 397, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-5d5344cb-0b69-4da2-a154-4cc78a93e3c7)

I use keystone V2.0

OPENSTACK_API_VERSIONS = { "identity": 2.0 }

CACHES = {
    'default': {

        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',

        'LOCATION': '127.0.0.1:11211',

    }
}

Can confirm I also see this issue using keystone v2.0.

If I disable HASH I can't login if HASH is enabled I can log in and see list of projects but as soon as I choose another project I can no longer see any projects in project selector.

Using horizon 8 and openstack_auth 2.0

Using memcache backend

My version :

python-django-openstack-auth-1.2.0-4.el7.noarch
openstack-dashboard-2015.1.0-7.el7.noarch

After fresh install, each action in horizon make trace.

CLI works.

If I force horizon to use V3 I have ==>The settings.py file points to a v2.0 keystone endpoint, but v3 is specified as the API version to use. Using v3 endpoint for authentication.

But Now all works :/

I just change URL in local_settings from v2.0 to v3.

Lin Hua Cheng (lin-hua-cheng) is right

After quite a bit of debugging, the problem appears to be :

When using token hashing, the unscoped_token get re-hashed every time you switch project. Your scoped token will for example be the md5 of an md5.

In user.py Token class : __init__ assumes "If the scoped_token is long, then unscoped_token must be too." (comment in the code). This is is false. The unscoped_token is already hashed.

In user.py : create_user_from_token(..) we send in the unscoped_token attribute from the token object and the unscoped token from session. The attribute is already hashed, but the session value never gets hashed.

Correction from previous post : Your UNscoped token will for example be the md5 of an md5.

Fix proposed to branch: master
Review: https://review.openstack.org/264755

Probably a duplicate :
https://bugs.launchpad.net/horizon/+bug/1503575

Reviewed: https://review.openstack.org/264755
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=5ab3908cff64fa5b5a5bd5ea4877c42096172dd3
Submitter: Jenkins
Branch: master

commit 5ab3908cff64fa5b5a5bd5ea4877c42096172dd3
Author: Einar Forselv <email address hidden>
Date: Thu Jan 7 13:42:28 2016 +0100

    Unscoped PKI token should no longer be hashed multiple times.

    When token hashing is used with pki tokens, the unscoped token
    gets re-hashed when switching project. This fix checks
    if the unscoped token needs to be hashed before doing so.

    The project list operation when switching project in horizon
    failed because the unscoped token could for example be an
    md5 of an md5.

    Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1
    Closes-Bug: #1487372

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/283624

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/283647

This issue was fixed in the openstack/django_openstack_auth 2.2.0 release.

Reviewed: https://review.openstack.org/283624
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=f9c3a4f1707fa637254bd8291fe3babc003b3447
Submitter: Jenkins
Branch: stable/liberty

commit f9c3a4f1707fa637254bd8291fe3babc003b3447
Author: Einar Forselv <email address hidden>
Date: Thu Jan 7 13:42:28 2016 +0100

    Unscoped PKI token should no longer be hashed multiple times.

    When token hashing is used with pki tokens, the unscoped token
    gets re-hashed when switching project. This fix checks
    if the unscoped token needs to be hashed before doing so.

    The project list operation when switching project in horizon
    failed because the unscoped token could for example be an
    md5 of an md5.

    Change-Id: I64684ca251eb4d0c6164e58c078cf7d132eb3cc1
    Closes-Bug: #1487372
    (cherry picked from commit 5ab3908cff64fa5b5a5bd5ea4877c42096172dd3)

Change abandoned by Matthias Runge (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/283647
Reason: openstack_auth in kilo should be EOLed, following horizon kilo EOL