Federated users cannot log into horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Colleen Murphy | ||
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
django-openstack-auth |
Fix Released
|
Undecided
|
Unassigned | ||
keystoneauth |
Invalid
|
Undecided
|
Unassigned | ||
python-novaclient |
Invalid
|
Undecided
|
Unassigned |
Bug Description
As of this bugfix in novaclient, federated users cannot log in to horizon:
https:/
Before this bugfix, horizon would attempt to list nova extensions using what was apparently the wrong class, and the error would be caught and quietly logged as such:
Call to list supported extensions failed. This is likely due to a problem communicating with the Nova endpoint. Host Aggregates panel will not be displayed.
The dashboard would display:
Error: Unable to retrieve usage information.
but at least the user was logged into the dashboard.
The error that was being hidden was:
__init__() takes at least 3 arguments (2 given)
Now that that is fixed, horizon makes it further but fails to authenticate the federated user when attempting this request, giving the traceback here:
http://
The problem lies somewhere between keystoneauth, novaclient, and horizon.
keystoneauth:
When keystoneauth does version discovery, it first tries the Identity v2.0 API, and finding no domain information in the request, returns that API as the Identity endpoint. Modifying keystoneauth to not stop there and continue trying the v3 API, even though it lacks domain information, allows the user to successfully log in:
http://
I'm not really sure why that works or what would break with that change.
novaclient:
When creating a Token plugin the novaclient is aware of a project's domain but not of a domain on its own or of a default domain:
http://
keystoneauth relies on having default_
horizon:
For federated users novaclient is only set up to pass along domain info for the project, which horizon doesn't store in its user object:
http://
However things seem to just work if we fudge the user_domain_id as the project_domain_id, though that is obviously not a good solution:
Changed in horizon: | |
assignee: | nobody → Rob Cresswell (robcresswell) |
milestone: | none → ocata-rc1 |
Changed in horizon: | |
importance: | Undecided → Critical |
Changed in horizon: | |
milestone: | ocata-rc1 → next |
tags: | added: ocata-backport-potential |
Changed in horizon: | |
milestone: | next → ocata-rc2 |
Changed in horizon: | |
status: | In Progress → Fix Released |
This was discussed at the keystone meeting today, the thinking is that adding domain information to the fernet token formatter may help to resolve the issues -- adding keystone as an affected project.