OpenStack Dashboard (Horizon)

Federated users cannot log into horizon

Bug #1660436 reported by Colleen Murphy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Critical
Colleen Murphy
OpenStack Dashboard (Horizon) ocata-rc2 "o-rc2"
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
django-openstack-auth
Fix Released
Undecided
Unassigned
keystoneauth
Invalid
Undecided
Unassigned
python-novaclient
Invalid
Undecided
Unassigned

Bug Description

As of this bugfix in novaclient, federated users cannot log in to horizon:

https://bugs.launchpad.net/python-novaclient/+bug/1658963

Before this bugfix, horizon would attempt to list nova extensions using what was apparently the wrong class, and the error would be caught and quietly logged as such:

 Call to list supported extensions failed. This is likely due to a problem communicating with the Nova endpoint. Host Aggregates panel will not be displayed.

The dashboard would display:

 Error: Unable to retrieve usage information.

but at least the user was logged into the dashboard.

The error that was being hidden was:

 __init__() takes at least 3 arguments (2 given)

Now that that is fixed, horizon makes it further but fails to authenticate the federated user when attempting this request, giving the traceback here:

 http://paste.openstack.org/show/596929/

The problem lies somewhere between keystoneauth, novaclient, and horizon.

keystoneauth:

When keystoneauth does version discovery, it first tries the Identity v2.0 API, and finding no domain information in the request, returns that API as the Identity endpoint. Modifying keystoneauth to not stop there and continue trying the v3 API, even though it lacks domain information, allows the user to successfully log in:

 http://paste.openstack.org/show/596930/

I'm not really sure why that works or what would break with that change.

novaclient:

When creating a Token plugin the novaclient is aware of a project's domain but not of a domain on its own or of a default domain:

 http://git.openstack.org/cgit/openstack/python-novaclient/tree/novaclient/client.py#n137

keystoneauth relies on having default_domain_(id|name), domain_(id|name), or project_domain(id|name) set, and novaclient isn't receiving information about the project_domain(id|name) and isn't capable of sending any other domain information when using the Token plugin, which it must for a federated user.

horizon:

For federated users novaclient is only set up to pass along domain info for the project, which horizon doesn't store in its user object:

 http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/user.py#n202

However things seem to just work if we fudge the user_domain_id as the project_domain_id, though that is obviously not a good solution:

 http://paste.openstack.org/show/596933/

Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
assignee: nobody → Rob Cresswell (robcresswell)
milestone: none → ocata-rc1
Revision history for this message
Steve Martinelli (stevemar) wrote :

This was discussed at the keystone meeting today, the thinking is that adding domain information to the fernet token formatter may help to resolve the issues -- adding keystone as an affected project.

Changed in keystone:
milestone: none → ocata-rc1
assignee: nobody → Colleen Murphy (krinkle)
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/427722

Changed in horizon:
assignee: Rob Cresswell (robcresswell) → Colleen Murphy (krinkle)
status: New → In Progress
Revision history for this message
Colleen Murphy (krinkle) wrote :

Rob - I think I found some simple fixes for doa and horizon, with no changes needed for novaclient or keystone. Let me know what you think.

https://review.openstack.org/427721
https://review.openstack.org/427722

Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
importance: Undecided → Critical
Revision history for this message
Steve Martinelli (stevemar) wrote :

Marked as invalid for keystone projects and novaclient. The fix was centralized to Horizon and DOA.

Changed in keystone:
status: New → Invalid
Changed in python-novaclient:
status: New → Invalid
Changed in keystoneauth:
status: New → Invalid
Changed in django-openstack-auth:
status: New → Fix Released
Changed in keystone:
milestone: ocata-rc1 → none
assignee: Colleen Murphy (krinkle) → nobody
importance: Critical → Undecided
Richard Jones (r1chardj0n3s)
Changed in horizon:
milestone: ocata-rc1 → next
tags: added: ocata-backport-potential
Revision history for this message
Steve Martinelli (stevemar) wrote :

As discussed in IRC today, we should get the horizon fix backported and included in RC2 (which will need to be done to include translations)

Richard Jones (r1chardj0n3s)
Changed in horizon:
milestone: next → ocata-rc2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/427722
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=f7e2d7883dc652085b2982c3a3ea766cb7993c68
Submitter: Jenkins
Branch: master

commit f7e2d7883dc652085b2982c3a3ea766cb7993c68
Author: Colleen Murphy <email address hidden>
Date: Wed Feb 1 15:08:56 2017 +0100

    Pass the project domain ID to novaclient

    When the nova client creates a new session, knowing only the ID and
    project of a token but not the project's domain, it calls keystoneauth
    with None as the project domain. Keystoneauth takes this to mean
    novaclient wants to authenticate with the Identity v2.0 API, which
    fails if the user is a federated user. This patch grabs the project
    domain ID from the request and passes it along to novaclient so that it
    can properly create a v3 Token session.

    Change-Id: I7f00a9fefd64c453c40b08fbe235ac7e42153050
    Depends-on: I18a9d42906cb2116903600d47880ebdfff1e1ef9
    Partial-bug: #1660436

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/428532

Steve Martinelli (stevemar)
Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/ocata)

Reviewed: https://review.openstack.org/428532
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=4305dddeb703dcd94d5483590f33d998153df651
Submitter: Jenkins
Branch: stable/ocata

commit 4305dddeb703dcd94d5483590f33d998153df651
Author: Colleen Murphy <email address hidden>
Date: Wed Feb 1 15:08:56 2017 +0100

    Pass the project domain ID to novaclient

    When the nova client creates a new session, knowing only the ID and
    project of a token but not the project's domain, it calls keystoneauth
    with None as the project domain. Keystoneauth takes this to mean
    novaclient wants to authenticate with the Identity v2.0 API, which
    fails if the user is a federated user. This patch grabs the project
    domain ID from the request and passes it along to novaclient so that it
    can properly create a v3 Token session.

    Partial-bug: #1660436
    (cherry picked from commit f7e2d7883dc652085b2982c3a3ea766cb7993c68)

    Change-Id: Iaf331ecd7b02076be6f9123baf59de787cdbc3db

tags: added: in-stable-ocata
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.