openstack_auth.backend: Error getting domain scoped token during login (when Multidomain support disabled)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
django-openstack-auth |
Triaged
|
Medium
|
Unassigned |
Bug Description
Debug logs are enabled for horizon
login as admin user
Result
Debug logs report error getting domain scoped token
2016-11-07 19:44:57,284 [DEBUG] openstack_
2016-11-07 19:44:57,285 [DEBUG] openstack_
2016-11-07 19:44:57,391 [DEBUG] openstack_
Traceback (most recent call last):
File "/usr/lib/
domain_auth_ref = domain_
File "/usr/lib/
self.auth_ref = self.get_
File "/usr/lib/
authenticat
File "/usr/lib/
return self.request(url, 'POST', **kwargs)
File "/usr/lib/
return func(*args, **kwargs)
File "/usr/lib/
raise exceptions.
Analysis:
Examining the Horizon Openstack auth driver, we see that on user login, it will attempt to get both a domain scoped token and project scoped token. A domain scoped token is needed since for Multi-domain deployments there are RBAC domain-specific policy rules. However since ours is a single domain deployment we ONLY exercise the project scoped token, and therefore the project based RBAC rules.
We shouldn't even be trying to get a domain scoped token if multi-domain has been disabled in Horizon:
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
#OPENSTACK_
While the log is only set to Debug verbosity, this is still a redundant call out to Keystone which is not needed when Multi Domain support has been disabled in Horizon.
Changed in django-openstack-auth: | |
assignee: | nobody → Kam Nasim (knasim-wrs) |
Changed in django-openstack-auth: | |
importance: | Undecided → Medium |
Changed in django-openstack-auth: | |
assignee: | Kam Nasim (knasim-wrs) → nobody |
status: | In Progress → Triaged |
Fix proposed to branch: master /review. openstack. org/397332
Review: https:/