Cannot list users and groups with Keystone v3

Bug #1415588 reported by Pavel Gluschak
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
In Progress
Undecided
Timur Sufiev

Bug Description

Openstack 2014.2.1 on CentOS 7

Horizon is configured to use Keystone v3 API w/ domains:
OPENSTACK_API_VERSIONS = {
    "identity": 3
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

I logged in as admin and specified "default" domain on login page. When I select Identity->Users or Identity->Groups I got pop-up error message saying "Error: Unauthorized: Unable to retrieve user/group list."

In keystone.log I see:
2015-01-28 21:39:51.654 4207 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-01-28 21:39:51.654 4207 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 9.167.185.90
2015-01-28 21:39:51.655 4207 INFO eventlet.wsgi.server [-] 9.167.185.90 - - [28/Jan/2015 21:39:51] "GET /v3/users HTTP/1.1" 401 313 0.008419
2015-01-28 21:39:54.031 4243 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-01-28 21:39:54.031 4243 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 9.167.185.90
2015-01-28 21:39:54.032 4243 INFO eventlet.wsgi.server [-] 9.167.185.90 - - [28/Jan/2015 21:39:54] "GET /v3/groups HTTP/1.1" 401 313 0.009917

Tags: keystone
Changed in horizon:
assignee: nobody → Wu Wenxiang (wu-wenxiang)
Revision history for this message
Nikunj Aggarwal (nikunj2512) wrote :

Not able to reproduce...

Revision history for this message
Pavel Gluschak (scsnow) wrote :

Do you have multiple domains defined? I have first domain in sql backend and second one in ldap backend.

[root@juno1 ~(keystonev3_admin)]# cat keystonev3rc_admin
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://9.167.185.90:5000/v3
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export OS_PASSWORD=*****
export PS1='[\u@\h \W(keystonev3_admin)]\$ '
[root@juno1 ~(keystonev3_admin)]# openstack user list
ERROR: openstack The request you have made requires authentication. (HTTP 401)
[root@juno1 ~(keystonev3_admin)]# openstack user list --domain default
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0261a5e2252d4778866209c4834a73ad | nova |
| 0781c81c522642d689e3611a82ccb7f4 | neutron |
| 93e2632af4fa4c6297ce34e6208b3038 | heat |
| 965afb3c90304064b74cafdcc04647a4 | cinder |
| c8ffb935e7f3495593ee73a1f1d3f17f | admin |
| eec4197e03c842a2ae4c1176ee66540d | glance |
+----------------------------------+---------+

I have to specify --domain parameter, even I have OS_USER_DOMAIN_ID exported. I don't know whether it's bug or feature in keystone.

affects: horizon → keystone
Changed in keystone:
assignee: Wu Wenxiang (wu-wenxiang) → nobody
Revision history for this message
Brant Knudson (blk-u) wrote :

Keystone doesn't allow listing all users when multiple domains are configured. Keystone is working as designed.

Revision history for this message
Pavel Gluschak (scsnow) wrote :

I suppose horizon should pass domain of logged in user to keystone, when listing users/groups.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Brant is correct in this case. This is as designed. Listing all users is only guaranteed to be possible within the scope of a specific domain.

Marking this bug as invalid for Keystone.

Changed in keystone:
status: New → Invalid
Revision history for this message
Pavel Gluschak (scsnow) wrote :

To repro this bug in Horizon multiple domains should be defined. Per comments above this works as designed in Keystone, so Horizon should include domain in the request. I believe this should be a domain of logged in user.

affects: keystone → horizon
Changed in horizon:
status: Invalid → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Dashboard (Horizon) because there has been no activity for 60 days.]

Changed in horizon:
status: Incomplete → Expired
Changed in horizon:
status: Expired → New
Revision history for this message
Mahesh Sawaiker (mahesh-sawaiker) wrote :

I get this error, openstack clients also seem to fail to list users and groups.

Issue seems to be in this method line 715 is the exception being thrown.

683 def _get_domain_id_for_list_request(self, context):
684 """Get the domain_id for a v3 list call.
685
686 If we running with multiple domain drivers, then the caller must
687 specify a domain_id either as a filter or as part of the token scope.
688
689 """
690 if not CONF.identity.domain_specific_drivers_enabled:
691 # We don't need to specify a domain ID in this case
692 return
693
694 if context['query_string'].get('domain_id') is not None:
695 return context['query_string'].get('domain_id')
696
697 try:
698 token_ref = token_model.KeystoneToken(
699 token_id=context['token_id'],
700 token_data=self.token_provider_api.validate_token(
701 context['token_id']))
702 except KeyError:
703 raise exception.ValidationError(
704 _('domain_id is required as part of entity'))
705 except (exception.TokenNotFound,
706 exception.UnsupportedTokenVersionException):
707 LOG.warning(_LW('Invalid token found while getting domain ID '
708 'for list request'))
709 raise exception.Unauthorized()
710
711 if token_ref.domain_scoped:
712 return token_ref.domain_id
713 else:
714 LOG.warning(
715 _LW('No domain information specified as part of list request'))
716 raise exception.Unauthorized()

Keystone logs are as follows.
2015-10-06 07:32:24.141 11175 DEBUG keystone.policy.backends.rules [-] enforce identity:list_users: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'a3cde1ee62b7882310e28a16efc19fae1fb81383628117c100f0fb80e7442177', 'roles': [u'admin', u'_member_'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=wAXcFhRURgmBoLZPhNZBaQ, audit_chain_id=wAXcFhRURgmBoLZPhNZBaQ) at 0x7fa5a9d894f0>, 'project_id': u'4bf2a3a0b84745259bb4c8d4829cf742', 'trust_id': None} enforce /opt/bbc/openstack-11.0-bbc73/keystone/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:76
2015-10-06 07:32:24.142 11175 DEBUG keystone.common.controller [-] RBAC: Authorization granted wrapper /opt/bbc/openstack-11.0-bbc73/keystone/local/lib/python2.7/site-packages/keystone/common/controller.py:203
2015-10-06 07:32:24.151 11175 WARNING keystone.common.controller [-] No domain information specified as part of list request
2015-10-06 07:32:24.152 11175 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 192.168.0.96

Configuration
1) Enable domain specific drivers in keystone
2) keep default domain in ldap, keep all other domains in sql db.
3) Try listing users or groups using v3 api.

Revision history for this message
Mahesh Sawaiker (mahesh-sawaiker) wrote :

I was able to get users and groups to list, need to do set domain context from identity=> domains, then it works.
I think in horizon this can be closed as fixed, but possibly need some documentation around this.

Pavel Gluschak (scsnow)
Changed in horizon:
status: New → Invalid
Revision history for this message
Itxaka Serrano (itxaka) wrote :

Is there something we could do in here to alleviate this? Maybe set up the default domain in the context on login so we dont show an error with no context at all?

Changed in horizon:
status: Invalid → New
Changed in horizon:
assignee: nobody → Radomir Dopieralski (thesheep)
status: New → In Progress
Changed in horizon:
assignee: Radomir Dopieralski (thesheep) → Timur Sufiev (tsufiev-x)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by Radomir Dopieralski (<email address hidden>) on branch: master
Review: https://review.openstack.org/356571

tags: added: keystone
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers