openstack_auth.backend: Error getting domain scoped token during login (when Multidomain support disabled)

Bug #1641638 reported by Kam Nasim on 2016-11-14
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
django-openstack-auth
Medium
Unassigned

Bug Description

Debug logs are enabled for horizon

login as admin user

Result
Debug logs report error getting domain scoped token

2016-11-07 19:44:57,284 [DEBUG] openstack_auth.backend: Beginning user authentication
2016-11-07 19:44:57,285 [DEBUG] openstack_auth.plugin.password: Attempting to authenticate for admin
2016-11-07 19:44:57,391 [DEBUG] openstack_auth.backend: Error getting domain scoped token.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstack_auth/backend.py", line 146, in authenticate
    domain_auth_ref = domain_auth.get_access(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 572, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 94, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 467, in request
    raise exceptions.from_response(resp, method, url)

Analysis:
Examining the Horizon Openstack auth driver, we see that on user login, it will attempt to get both a domain scoped token and project scoped token. A domain scoped token is needed since for Multi-domain deployments there are RBAC domain-specific policy rules. However since ours is a single domain deployment we ONLY exercise the project scoped token, and therefore the project based RBAC rules.

We shouldn't even be trying to get a domain scoped token if multi-domain has been disabled in Horizon:
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False

While the log is only set to Debug verbosity, this is still a redundant call out to Keystone which is not needed when Multi Domain support has been disabled in Horizon.

Kam Nasim (knasim-wrs) on 2016-11-14
Changed in django-openstack-auth:
assignee: nobody → Kam Nasim (knasim-wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/397332

Changed in django-openstack-auth:
status: New → In Progress
David Lyle (david-lyle) on 2017-01-31
Changed in django-openstack-auth:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on django_openstack_auth (master)

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Review: https://review.openstack.org/397332
Reason: due to inactivity

Changed in django-openstack-auth:
assignee: Kam Nasim (knasim-wrs) → nobody
status: In Progress → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers