cinder quota not available in a non-default domain

Bug #1544888 reported by Renee Undrits on 2016-02-12
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)

Bug Description

I am running a multi-domain environment and am unable to access cinder quota information in Horizon from a non-default domain.
My default domain is with the SQL back end and the other one with an LDAP back end.

The effects include not being able to launch instances and not being able to modify quota information.

The error I get performing related actions is this:

And for example the code failing when launching an instance is this:

I tried to remove unnecessary information from logs (Time, request id-s, sensitive information).

From horizon logs(apache2 error log):
 [:error] Internal Server Error: /horizon/project/instances/launch
 [:error] Traceback (most recent call last):
 [:error] File "/usr/lib/python2.7/dist-packages/django/core/handlers/", line 111, in get_response
 [:error] response = wrapped_callback(request, *callback_args, **callback_kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/", line 36, in dec
 [:error] return view_func(request, *args, **kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/", line 52, in dec
 [:error] return view_func(request, *args, **kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/", line 36, in dec
 [:error] return view_func(request, *args, **kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/", line 84, in dec
 [:error] return view_func(request, *args, **kwargs)
 [:error] File "/usr/lib/python2.7/dist-packages/django/views/generic/", line 69, in view
 [:error] return self.dispatch(request, *args, **kwargs)
 [:error] File "/usr/lib/python2.7/dist-packages/django/views/generic/", line 87, in dispatch
 [:error] return handler(request, *args, **kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/workflows/", line 167, in post
 [:error] context = self.get_context_data(**kwargs)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/workflows/", line 91, in get_context_data
 [:error] workflow = self.get_workflow()
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/workflows/", line 81, in get_workflow
 [:error] entry_point=entry_point)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/workflows/", line 651, in __init__
 [:error] valid = step.action.is_valid()0
 [:error] File "/usr/lib/python2.7/dist-packages/django/forms/", line 162, in is_valid
 [:error] return self.is_bound and not bool(self.errors)
 [:error] File "/usr/lib/python2.7/dist-packages/django/forms/", line 154, in errors
 [:error] self.full_clean()
 [:error] File "/usr/lib/python2.7/dist-packages/django/forms/", line 354, in full_clean
 [:error] self._clean_form()
 [:error] File "/usr/lib/python2.7/dist-packages/django/forms/", line 378, in _clean_form
 [:error] cleaned_data = self.clean()
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/project/instances/workflows/", line 367, in clean
 [:error] self._check_quotas(cleaned_data)
 [:error] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/project/instances/workflows/", line 224, in _check_quotas
 [:error] available_volume = usages['volumes']['available']
 [:error] KeyError: 'available'

And a related bug seems to be a call to cinder api:

INFO cinder.api.openstack.wsgi GET http://openstack:8776/v2/febe06c4fb8e4b4ea5cbd86f3827ced1/os-quota-sets/febe06c4fb8e4b4ea5cbd86f3827ced1?usage=False
ERROR cinder.api.middleware.fault Caught error: Non-default domain is not supported (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4d088b3f-abb6-4475-b72c-f915f6c6413b) (HTTP 401)
INFO cinder.api.middleware.fault http://openstack:8776/v2/febe06c4fb8e4b4ea5cbd86f3827ced1/os-quota-sets/febe06c4fb8e4b4ea5cbd86f3827ced1?usage=False returned with HTTP 500
INFO eventlet.wsgi.server - - [10/Feb/2016 17:47:15] "GET /v2/febe06c4fb8e4b4ea5cbd86f3827ced1/os-quota-sets/febe06c4fb8e4b4ea5cbd86f3827ced1?usage=False HTTP/1.1" 500 425 0.102689

Where the project id is febe06c4fb8e4b4ea5cbd86f3827ced1.
But since the Service project id is 7442f0f3f5bd452a8d6a59a2eb277577 the call should be to http://openstack:8776/v2/7442f0f3f5bd452a8d6a59a2eb277577/os-quota-sets/febe06c4fb8e4b4ea5cbd86f3827ced1?usage=False

The service project is in the default domain and the user project is in the LDAP backed domain.

Also from keystone log this line can be found:
WARNING keystone.common.wsgi Authorization failed. Non-default domain is not supported (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from

For now I have made a bypass when launching an instance, asking for quota information with the code found in the volume tab:
Instead of
            available_volume = usages['volumes']['available']

I'm using
            usages = quotas.tenant_limit_usages(self.request)
            available_volume = usages['maxTotalVolumes'] - usages['volumesUsed']
            usages = quotas.tenant_quota_usages(self.request)
Which seems to work fine.

Donny Davis (donny-g) wrote :

Try this

In cinder.conf


# From keystonemiddleware.auth_token

# Complete public Identity API endpoint. (string value)
auth_uri = http://$YOURIP:5000/v3
auth_plugin = password
auth_url = http://$ADMINIP:35357
username = cinder
password = notsharing
project_name = services

in vi /etc/cinder/api-paste.ini
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_plugin = password
auth_url = http://$ADMINIP:35357
username = cinder
project_name = services
user_domain_name = Default
project_domain_name = Default

Seems to be working for me

Marcus Furlong (furlongm) wrote :

I have the same issue in a multi-domain environment.

In my case regular users are in the default domain and the admin user is in the 'admin' domain. Trying to edit a project via horizon does not work e.g. Identity-> Projects-> Edit Project.

When trying to do so, I get the following error -> "Error: Unable to retrieve volume limit information."

When trying to save a project I get the following error -> "Error: Modified project information and members, but unable to modify project quotas."

In the cinder logs I see the same error as noted in the initial bug report -> "Caught error: Non-default domain is not supported"

The workaround in comment #1 does not work for me.

Yee-Ting Li (yee379) wrote :

@donny-g's solution worked for me (but in my case my 'services' project was named 'service'). i was also missing the 'v3' in my auth_uri.

tobe (chendihao) wrote :

We have the similar problem when using the command-line to check the quota in another domain.

I'm not really know whey @donny-g's solution could solve this problem?

Ladislav Smola (lsmola) wrote :

I can confirm I see this too, also it throws 500, which makes this hard for us to ignore. If it would at least throw 404, saying we don't support this.

Changed in cinder:
status: New → Confirmed
Changed in horizon:
status: New → Confirmed
Changed in cinder:
importance: Undecided → Medium
Andia (wangyuwei) wrote :

this problem may be solved by adding /v3 after auth_uri in cinder.conf [keystone_authtoken].Because it is caused by an authentication for hierarchical projects, this project is supported by keystone v3. However, keystone v2 only supports default domain,v3 isn't needed.This solution is working for me.

Jay Bryant (jsbryant) wrote :

Given that the wrong keystone endpoint was being used can we just close this one?

Gary W. Smith (gary-w-smith) wrote :

Marking horizon bug as invalid since this is reproducible with the cinder CLI.

Changed in horizon:
status: Confirmed → Invalid
Changed in cinder:
assignee: nobody → Ankush Shriram Pokalwar (ankushpo)
Changed in cinder:
assignee: Ankush Shriram Pokalwar (ankushpo) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers