policy.v3cloudsample.json broken in mitaka
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned | ||
OpenStack Identity (keystone) |
Incomplete
|
High
|
Unassigned |
Bug Description
We have a multi-domain configuration in our private cloud that I've had to revert to using the Liberty policy.
Horizon is generating the following trace when a domain admin is trying to look at projects/users:
[pid: 22842|app: 0|req: 5/17] 10.38.202.12 () {46 vars in 907 bytes} [Thu Jun 2 07:17:24 2016] GET / => generated 0 bytes in 5 msecs (HTTP/1.1 302) 5 headers in 198 bytes (1 switches on core 1)
Internal Server Error: /identity/
Traceback (most recent call last):
File "/opt/mhos/
response = wrapped_
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return self.dispatch(
File "/opt/mhos/
return handler(request, *args, **kwargs)
File "/opt/mhos/
handled = self.construct_
File "/opt/mhos/
handled = self.handle_
File "/opt/mhos/
data = self._get_
File "/opt/mhos/
self._data = {self.table_
File "/opt/mhos/
self.request):
File "/opt/mhos/
return policy_
File "/opt/mhos/
enforcer[
File "/opt/mhos/
if not enforcer_
File "/opt/mhos/
result = self.rules[
File "/opt/mhos/
if rule(target, cred, enforcer):
File "/opt/mhos/
return enforcer.
File "/opt/mhos/
if not rule(target, cred, enforcer):
File "/opt/mhos/
if rule(target, cred, enforcer):
File "/opt/mhos/
return self._find_
File "/opt/mhos/
return self._find_
File "/opt/mhos/
test_value = test_value[key]
TypeError: 'Token' object has no attribute '__getitem__'
[pid: 22837|app: 0|req: 5/18] 10.38.202.12 () {46 vars in 925 bytes} [Thu Jun 2 07:17:24 2016] GET /identity/ => generated 375516 bytes in 251 msecs (HTTP/1.1 500) 4 headers in 145 bytes (2 switches on core 0)
Or we will get another trace, as follows, which is a bit more understanding:
[pid: 22623|app: 0|req: 17/76] 10.38.202.12 () {44 vars in 3206 bytes} [Thu Jun 2 07:05:15 2016] GET /i18n/js/
ders in 132 bytes (1 switches on core 1)
Pure project admin doesn't have a domain token
Internal Server Error: /identity/users/
Traceback (most recent call last):
File "/opt/mhos/
response = wrapped_
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return view_func(request, *args, **kwargs)
File "/opt/mhos/
return self.dispatch(
File "/opt/mhos/
return handler(request, *args, **kwargs)
File "/opt/mhos/
handled = self.construct_
File "/opt/mhos/
handled = self.handle_
File "/opt/mhos/
data = self._get_
File "/opt/mhos/
self._data = {self.table_
File "/opt/mhos/
u.domain_name = domain_
AttributeError: 'NoneType' object has no attribute 'get'
[pid: 22619|app: 0|req: 15/77] 10.38.202.12 () {46 vars in 3190 bytes} [Thu Jun 2 07:05:19 2016] GET /identity/users/ => generated 340688 bytes in 413 msecs (HTTP/1.1 500) 4 headers in 145 bytes (2 switches on core 0)
The 2nd trace usually is associated with situations where the V2 policy is in effect.
Horizon Config:
Memcached backend for caching
Session DB configured
As a workaround, we reverted to the Liberty policy.
We believe the issue lies around the following line (pulled from master):
https:/
And yes, the admin_domain_id was correctly set.
We feel that this breaks domain functionality and I would like someone to take a look and let us know if this is a configuration problem and why this works without failure with the Liberty policy.
Changed in keystone: | |
milestone: | none → newton-3 |
I'm trying to read between the backtrace lines, and I actually can't tell if "Pure project admin doesn't have a domain token" is part of an error message or not - can you clarify? I don't see anything in keystone that would raise that, but it sounds like something Adam would know about :)
I also don't understand when you get the second backtrace - it looks like a user object is unexpectedly (and wrongly) missing a domain_id attribute (that should never happen). The first is a failure in policy, again, that I'm hoping Adam Young can explain.