openstack_auth.backend: Error getting domain scoped token during login (when Multidomain support disabled)

Bug #1641638 reported by Kam Nasim
This bug affects 2 people
Affects Status Importance Assigned to Milestone

Bug Description

Debug logs are enabled for horizon

login as admin user

Debug logs report error getting domain scoped token

2016-11-07 19:44:57,284 [DEBUG] openstack_auth.backend: Beginning user authentication
2016-11-07 19:44:57,285 [DEBUG] openstack_auth.plugin.password: Attempting to authenticate for admin
2016-11-07 19:44:57,391 [DEBUG] openstack_auth.backend: Error getting domain scoped token.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstack_auth/", line 146, in authenticate
    domain_auth_ref = domain_auth.get_access(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/", line 572, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/", line 94, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/", line 467, in request
    raise exceptions.from_response(resp, method, url)

Examining the Horizon Openstack auth driver, we see that on user login, it will attempt to get both a domain scoped token and project scoped token. A domain scoped token is needed since for Multi-domain deployments there are RBAC domain-specific policy rules. However since ours is a single domain deployment we ONLY exercise the project scoped token, and therefore the project based RBAC rules.

We shouldn't even be trying to get a domain scoped token if multi-domain has been disabled in Horizon:
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.

While the log is only set to Debug verbosity, this is still a redundant call out to Keystone which is not needed when Multi Domain support has been disabled in Horizon.

Kam Nasim (knasim-wrs)
Changed in django-openstack-auth:
assignee: nobody → Kam Nasim (knasim-wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master

Changed in django-openstack-auth:
status: New → In Progress
David Lyle (david-lyle)
Changed in django-openstack-auth:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on django_openstack_auth (master)

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Reason: due to inactivity

Changed in django-openstack-auth:
assignee: Kam Nasim (knasim-wrs) → nobody
status: In Progress → Triaged
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers