django-openstack-auth

openstack_auth.backend: Error getting domain scoped token during login (when Multidomain support disabled)

Bug #1641638 reported by Kam Nasim on 2016-11-14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	django-openstack-auth	Triaged	Medium	Unassigned

Bug Description

Debug logs are enabled for horizon

Result
Debug logs report error getting domain scoped token

2016-11-07 19:44:57,284 [DEBUG] openstack_auth.backend: Beginning user authentication
2016-11-07 19:44:57,285 [DEBUG] openstack_auth.plugin.password: Attempting to authenticate for admin
2016-11-07 19:44:57,391 [DEBUG] openstack_auth.backend: Error getting domain scoped token.
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstack_auth/backend.py", line 146, in authenticate
    domain_auth_ref = domain_auth.get_access(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 572, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 94, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 467, in request
    raise exceptions.from_response(resp, method, url)

Analysis:
Examining the Horizon Openstack auth driver, we see that on user login, it will attempt to get both a domain scoped token and project scoped token. A domain scoped token is needed since for Multi-domain deployments there are RBAC domain-specific policy rules. However since ours is a single domain deployment we ONLY exercise the project scoped token, and therefore the project based RBAC rules.

We shouldn't even be trying to get a domain scoped token if multi-domain has been disabled in Horizon:
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False

While the log is only set to Debug verbosity, this is still a redundant call out to Keystone which is not needed when Multi Domain support has been disabled in Horizon.

Kam Nasim (knasim-wrs) on 2016-11-14

Changed in django-openstack-auth:
assignee:	nobody → Kam Nasim (knasim-wrs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-14: Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/397332

Changed in django-openstack-auth:
status:	New → In Progress

David Lyle (david-lyle) on 2017-01-31

Changed in django-openstack-auth:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-18: Change abandoned on django_openstack_auth (master)

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Review: https://review.openstack.org/397332
Reason: due to inactivity

Rob Cresswell (robcresswell-deactivatedaccount) on 2017-07-18

Changed in django-openstack-auth:
assignee:	Kam Nasim (knasim-wrs) → nobody
status:	In Progress → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.