Hi All,
While I am testing keystone v3 with Rbac, seeing below issue on horizon, do I need any other configuration to resolve below issues? Attached the screenshot of both the issues.
Issue 1:
Project tab not displayed the project name (screenshot- issue1)
Steps:
1. Create a domain (name:mydomain) and project (name:project1-mydomain) and add a user (name:user1-project1-mydomain) as admin in project1-mydomain
2. Login to horizon as mydomain and user credentials , click on project tab (project1-mydomain not listed)
Issue 2: If I add the above user (user1-project1-mydomain) as an admin to the domain (mydomain). Horizon page shows something went wrong. (screenshot –issue2)
root@a5s9:~# openstack role list --user user1-project1-mydomain --domain mydomain
+----------------------------------+-------+----------+-------------------------+
| ID | Name | Domain | User |
+----------------------------------+-------+----------+-------------------------+
| 5f5ab31c772f450780317b3102cc6705 | admin | mydomain | user1-project1-mydomain |
+----------------------------------+-------+----------+-------------------------+
root@a5s9:/etc/keystone# openstack user show user1-project1-mydomain
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | 02267056232748d5921cd74f44169c70 |
| domain_id | 7110cd18083343d2beb6771c43be2ed3 |
| enabled | True |
| id | a0f2b3e05f714a05a48ef48055084fae |
| name | user1-project1-mydomain |
root@a5s9:/etc/keystone# openstack role list --user user1-project1-mydomain --project project1-mydomain
+----------------------------------+-------+-------------------+-------------------------+
| ID | Name | Project | User |
+----------------------------------+-------+-------------------+-------------------------+
| 5f5ab31c772f450780317b3102cc6705 | admin | project1-mydomain | user1-project1-mydomain |
Horizon exception (apache2/error.lg) on Issue2
==========================
[Fri Aug 12 22:13:04.350108 2016] [:error] [pid 3755:tid 140284044183296] Deleted token 9de2cca079a14df0891daf551b137839
[Fri Aug 12 22:13:23.973484 2016] [:error] [pid 3757:tid 140284044183296] Login successful for user "user1-project1-mydomain".
[Fri Aug 12 22:13:25.239978 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.240704 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.241225 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.276170 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.276738 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.278068 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.278624 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.321291 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.321836 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.322383 2016] [:error] [pid 3757:tid 140284119717632] Failed to create user from domain scoped token.
[Fri Aug 12 22:13:25.345193 2016] [:error] [pid 3757:tid 140284119717632] Pure project admin doesn't have a domain token
[Fri Aug 12 22:13:25.345762 2016] [:error] [pid 3757:tid 140284119717632] Internal Server Error: /horizon/identity/
[Fri Aug 12 22:13:25.345783 2016] [:error] [pid 3757:tid 140284119717632] Traceback (most recent call last):
[Fri Aug 12 22:13:25.345791 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 132, in get_response
[Fri Aug 12 22:13:25.345798 2016] [:error] [pid 3757:tid 140284119717632] response = wrapped_callback(request, *callback_args, **callback_kwargs)
[Fri Aug 12 22:13:25.345805 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/decorators.py", line 36, in dec
[Fri Aug 12 22:13:25.345813 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345820 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/decorators.py", line 52, in dec
[Fri Aug 12 22:13:25.345827 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345834 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/decorators.py", line 36, in dec
[Fri Aug 12 22:13:25.345843 2016] [:error] [pid 3757:tid 140284119717632] return view_func(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345856 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py", line 71, in view
[Fri Aug 12 22:13:25.345877 2016] [:error] [pid 3757:tid 140284119717632] return self.dispatch(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345883 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/lib/python2.7/dist-packages/django/views/generic/base.py", line 89, in dispatch
[Fri Aug 12 22:13:25.345889 2016] [:error] [pid 3757:tid 140284119717632] return handler(request, *args, **kwargs)
[Fri Aug 12 22:13:25.345894 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/tables/views.py", line 159, in get
[Fri Aug 12 22:13:25.345901 2016] [:error] [pid 3757:tid 140284119717632] handled = self.construct_tables()
[Fri Aug 12 22:13:25.345906 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/tables/views.py", line 150, in construct_tables
[Fri Aug 12 22:13:25.345913 2016] [:error] [pid 3757:tid 140284119717632] handled = self.handle_table(table)
[Fri Aug 12 22:13:25.345919 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/tables/views.py", line 121, in handle_table
[Fri Aug 12 22:13:25.345924 2016] [:error] [pid 3757:tid 140284119717632] data = self._get_data_dict()
[Fri Aug 12 22:13:25.345930 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../horizon/tables/views.py", line 187, in _get_data_dict
[Fri Aug 12 22:13:25.345936 2016] [:error] [pid 3757:tid 140284119717632] self._data = {self.table_class._meta.name: self.get_data()}
[Fri Aug 12 22:13:25.345943 2016] [:error] [pid 3757:tid 140284119717632] File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/identity/projects/views.py", line 115, in get_data
[Fri Aug 12 22:13:25.345951 2016] [:error] [pid 3757:tid 140284119717632] t.domain_name = domain_lookup.get(t.domain_id)
[Fri Aug 12 22:13:25.345958 2016] [:error] [pid 3757:tid 140284119717632] AttributeError: 'NoneType' object has no attribute 'get'
Thanks,
Shaju
I tried this on nodeb5 (3.1.1.0-42, Mitaka, Keystone V3 and RBAC) today. I don't think contrail RBAC is related to my observations. I created a domain (dsetia-domain) and a project in it (dsetia-project). I also created a user called dsetia-user. If dsetia-user is assigned a role in domain, I was unable to login to Horizon UI. The browser screen showed an error and following trace appears in logs:
Pure project admin doesn't have a domain token
Internal Server Error: /horizon/identity/
Traceback (most recent call last):
File "/usr/lib/
response = wrapped_
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/share/
return view_func(request, *args, **kwargs)
File "/usr/lib/
return self.dispatch(
File "/usr/lib/
return handler(request, *args, **kwargs)
File "/usr/share/
handled = self.construct_
File "/usr/share/
handled = self.handle_
File "/usr/share/
data = self._get_
File "/usr/share/
self._data = {self.table_
t.domain_name = domain_
AttributeError: 'NoneType' object has no attribute 'get'
If I remove role assignment from domain and instead assign role to dsetia-user in dsetia-project, I am able to login. However, post login there is error in fetching projects. THIS I believe is expected since listing of projects is likely a cloud-admin operation.
The behavior when user is member of no-default domain is surprising and I believe this used to work. If fact, that scenario should trigger a domain scope token (if user isn't member of any project) which should allow domain wide access.
I also installed devstack (stable/mitaka) and created same non-default domain, project and user. With user a member of domain alone, I was able to login to horizon. However when I navigate to see users etc, I see same error as above in logs. I did not see domains tab at all. Clicking on proje...