R3.1-build-19-mitaka-keystonev3 with multi-domain- horizon not displaying project with user login creds
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.1 |
Fix Committed
|
High
|
Deepinder Setia | |||
R3.2 |
Fix Committed
|
High
|
Deepinder Setia | |||
Trunk |
Fix Committed
|
High
|
Deepinder Setia |
Bug Description
Hi All,
While I am testing keystone v3 with Rbac, seeing below issue on horizon, do I need any other configuration to resolve below issues? Attached the screenshot of both the issues.
Issue 1:
Project tab not displayed the project name (screenshot- issue1)
1. Create a domain (name:mydomain) and project (name:project1-
2. Login to horizon as mydomain and user credentials , click on project tab (project1-mydomain not listed)
Issue 2: If I add the above user (user1-
root@a5s9:~# openstack role list --user user1-project1-
+------
| ID | Name | Domain | User |
+------
| 5f5ab31c772f450
+------
root@a5s9:
+------
| Field | Value |
+------
| default_project_id | 02267056232748d
| domain_id | 7110cd18083343d
| enabled | True |
| id | a0f2b3e05f714a0
| name | user1-project1-
root@a5s9:
+------
| ID | Name | Project | User |
+------
| 5f5ab31c772f450
Horizon exception (apache2/error.lg) on Issue2
=======
[Fri Aug 12 22:13:04.350108 2016] [:error] [pid 3755:tid 140284044183296] Deleted token 9de2cca079a14df
[Fri Aug 12 22:13:23.973484 2016] [:error] [pid 3757:tid 140284044183296] Login successful for user "user1-
[Fri Aug 12 22:13:25.239978 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.240704 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.241225 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.276170 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.276738 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.278068 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.278624 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.321291 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.321836 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.322383 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.345193 2016] [:error] [pid 3757:tid 140284119717632] Pure project admin doesn't have a domain token
[Fri Aug 12 22:13:25.345762 2016] [:error] [pid 3757:tid 140284119717632] Internal Server Error: /horizon/identity/
[Fri Aug 12 22:13:25.345783 2016] [:error] [pid 3757:tid 140284119717632] Traceback (most recent call last):
[Fri Aug 12 22:13:25.345791 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/
[Fri Aug 12 22:13:25.345798 2016] [:error] [pid 3757:tid 140284119717632] response = wrapped_
[Fri Aug 12 22:13:25.345805 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345813 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345820 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345827 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345834 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345843 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345856 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/
[Fri Aug 12 22:13:25.345877 2016] [:error] [pid 3757:tid 140284119717632] return self.dispatch(
[Fri Aug 12 22:13:25.345883 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/
[Fri Aug 12 22:13:25.345889 2016] [:error] [pid 3757:tid 140284119717632] return handler(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345894 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345901 2016] [:error] [pid 3757:tid 140284119717632] handled = self.construct_
[Fri Aug 12 22:13:25.345906 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345913 2016] [:error] [pid 3757:tid 140284119717632] handled = self.handle_
[Fri Aug 12 22:13:25.345919 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345924 2016] [:error] [pid 3757:tid 140284119717632] data = self._get_
[Fri Aug 12 22:13:25.345930 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345936 2016] [:error] [pid 3757:tid 140284119717632] self._data = {self.table_
[Fri Aug 12 22:13:25.345943 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/
[Fri Aug 12 22:13:25.345951 2016] [:error] [pid 3757:tid 140284119717632] t.domain_name = domain_
[Fri Aug 12 22:13:25.345958 2016] [:error] [pid 3757:tid 140284119717632] AttributeError: 'NoneType' object has no attribute 'get'
Thanks,
Shaju
tags: | added: config horizon rbac |
tags: | added: keystonev3 |
information type: | Proprietary → Public |
tags: | added: blocker |
I tried this on nodeb5 (3.1.1.0-42, Mitaka, Keystone V3 and RBAC) today. I don't think contrail RBAC is related to my observations. I created a domain (dsetia-domain) and a project in it (dsetia-project). I also created a user called dsetia-user. If dsetia-user is assigned a role in domain, I was unable to login to Horizon UI. The browser screen showed an error and following trace appears in logs:
Pure project admin doesn't have a domain token python2. 7/dist- packages/ django/ core/handlers/ base.py" , line 132, in get_response callback( request, *callback_args, **callback_kwargs) openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ decorators. py", line 36, in dec openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ decorators. py", line 52, in dec openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ decorators. py", line 36, in dec python2. 7/dist- packages/ django/ views/generic/ base.py" , line 71, in view request, *args, **kwargs) python2. 7/dist- packages/ django/ views/generic/ base.py" , line 89, in dispatch openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ tables/ views.py" , line 159, in get tables( ) openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ tables/ views.py" , line 150, in construct_tables table(table) openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ tables/ views.py" , line 121, in handle_table data_dict( ) openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../horizon/ tables/ views.py" , line 187, in _get_data_dict class._ meta.name: self.get_data()} File "/usr/share/ openstack- dashboard/ openstack_ dashboard/ wsgi/.. /../openstack_ dashboard/ dashboards/ identity/ projects/ views.py" , line 115, in get_data lookup. get(t.domain_ id)
Internal Server Error: /horizon/identity/
Traceback (most recent call last):
File "/usr/lib/
response = wrapped_
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/lib/
return self.dispatch(
File "/usr/lib/
return handler(request, *args, **kwargs)
File "/usr/share/
handled = self.construct_
File "/usr/share/
handled = self.handle_
File "/usr/share/
data = self._get_
File "/usr/share/
self._data = {self.table_
t.domain_name = domain_
AttributeError: 'NoneType' object has no attribute 'get'
If I remove role assignment from domain and instead assign role to dsetia-user in dsetia-project, I am able to login. However, post login there is error in fetching projects. THIS I believe is expected since listing of projects is likely a cloud-admin operation.
The behavior when user is member of no-default domain is surprising and I believe this used to work. If fact, that scenario should trigger a domain scope token (if user isn't member of any project) which should allow domain wide access.
I also installed devstack (stable/mitaka) and created same non-default domain, project and user. With user a member of domain alone, I was able to login to horizon. However when I navigate to see users etc, I see same error as above in logs. I did not see domains tab at all. Clicking on proje...