1294709 – Horizon project list issue with keystone v2

Bug 1294709 - Horizon project list issue with keystone v2 [NEEDINFO]

Summary: Horizon project list issue with keystone v2

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon
Sub Component:
Version:	7.0 (Kilo)
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	7.0 (Kilo)
Assignee:	Matthias Runge
QA Contact:	Ido Ovadia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-29 22:31 UTC by Muhammad Shahid Masood
Modified:	2016-02-25 09:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-25 09:04:06 UTC
Target Upstream Version:
Flags:	mrunge: needinfo? (me)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Muhammad Shahid Masood 2015-12-29 22:31:37 UTC

Description of problem:
I am running keystone version 2 and in the local_setting of openstack-dashboard its version 2 (OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST) but when i login with admin or user account, it logins but its not showing project list if user is part of multiple projects and unable to switch role and its showing error 401 in error_log of httpd. (log pasted in actual result tab )

I fix the error by changing the openstack api version from 2 to 3

OPENSTACK_API_VERSIONS = {
     "identity": 3
}

 but leaving the endpoint url OPENSTACK_KEYSTONE_URL = v2.0.  <== 


After applying the above the problem is fixed but i can login and browse the project list all the normal tasks  but still getting error in the log: 

[Tue Dec 29 21:59:23.245455 2015] [:error] [pid 4944] Login successful for user "shahid".
[Tue Dec 29 21:59:23.660515 2015] [:error] [pid 4944] The settings.py file points to a v2.0 keystone endpoint, but v3 is specified as the API version to use. Using v3 endpoint for authentication.

( It does not make any sense because i have keystone running as version 2 but the error log is saying using v3 endpoint for authentication and it still works and able to login and can also browse the projects) 

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.Set endpoint URL with v2.0
2.Set OPENSTACK_API_VERSIONS = {"identity": 2}
3. Restart http and memcache and try to login the horizon. It will login but unable to browse the project list

Actual results:


[Tue Dec 29 21:43:27.064771 2015] [:error] [pid 4589] Unable to retrieve project list.
[Tue Dec 29 21:43:27.064800 2015] [:error] [pid 4589] Traceback (most recent call last):
[Tue Dec 29 21:43:27.064805 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/openstack_auth/user.py", line 316, in authorized_tenants
[Tue Dec 29 21:43:27.064808 2015] [:error] [pid 4589]     is_federated=self.is_federated)
[Tue Dec 29 21:43:27.064811 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/openstack_auth/utils.py", line 145, in wrapper
[Tue Dec 29 21:43:27.064814 2015] [:error] [pid 4589]     result = func(*args, **kwargs)
[Tue Dec 29 21:43:27.064818 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/openstack_auth/utils.py", line 256, in get_project_list
[Tue Dec 29 21:43:27.064847 2015] [:error] [pid 4589]     projects = client.tenants.list()
[Tue Dec 29 21:43:27.064853 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/v2_0/tenants.py", line 123, in list
[Tue Dec 29 21:43:27.064870 2015] [:error] [pid 4589]     tenant_list = self._list('/tenants%s' % query, 'tenants')
[Tue Dec 29 21:43:27.064890 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 113, in _list
[Tue Dec 29 21:43:27.064916 2015] [:error] [pid 4589]     resp, body = self.client.get(url, **kwargs)
[Tue Dec 29 21:43:27.064921 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
[Tue Dec 29 21:43:27.064923 2015] [:error] [pid 4589]     return self.request(url, 'GET', **kwargs)
[Tue Dec 29 21:43:27.064926 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
[Tue Dec 29 21:43:27.064928 2015] [:error] [pid 4589]     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
[Tue Dec 29 21:43:27.064942 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
[Tue Dec 29 21:43:27.064955 2015] [:error] [pid 4589]     return self.session.request(url, method, **kwargs)
[Tue Dec 29 21:43:27.064970 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
[Tue Dec 29 21:43:27.064980 2015] [:error] [pid 4589]     return func(*args, **kwargs)
[Tue Dec 29 21:43:27.064996 2015] [:error] [pid 4589]   File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 397, in request
[Tue Dec 29 21:43:27.065013 2015] [:error] [pid 4589]     raise exceptions.from_response(resp, method, url)
[Tue Dec 29 21:43:27.065023 2015] [:error] [pid 4589] Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-433b92f3-b6df-4b9e-ae68-60952917340d)

Expected results:


Additional info:
=================
Dashboard version
==================
Name        : openstack-dashboard
Version     : 2015.1.2
Release     : 4.el7ost
Architecture: noarch
Install Date: Sun 27 Dec 2015 12:13:59 AM GST
Group       : Applications/System
Size        : 26789571
License     : ASL 2.0 and BSD
Signature   : RSA/SHA256, Tue 15 Dec 2015 07:01:17 PM GST, Key ID 199e2f91fd431d51
Source RPM  : python-django-horizon-2015.1.2-4.el7ost.src.rpm
Build Date  : Tue 08 Dec 2015 02:45:34 PM GST
Build Host  : x86-034.build.eng.bos.redhat.com

===================
Keystone Version
===================
Name        : openstack-keystone
Version     : 2015.1.2
Release     : 2.el7ost
Architecture: noarch
Install Date: Sun 27 Dec 2015 12:06:34 AM GST
Group       : Unspecified
Size        : 115305
License     : ASL 2.0
Signature   : RSA/SHA256, Mon 23 Nov 2015 06:46:31 AM GST, Key ID 199e2f91fd431d51
Source RPM  : openstack-keystone-2015.1.2-2.el7ost.src.rpm
Build Date  : Wed 18 Nov 2015 12:13:12 AM GST
Build Host  : x86-034.build.eng.bos.redhat.com

Comment 2 Matthias Runge 2015-12-30 09:16:06 UTC

what kind of keystone tokens do you use?

The messages you're seeing in the error log are shown due to your logging dictionary in local_settings. Messages logged to a logfile are tagged with error, even if they are informational, like 
Login successful for user "shahid".

Comment 3 Muhammad Shahid Masood 2015-12-30 09:32:55 UTC

I am using PKI tokens.

Comment 4 Matthias Runge 2015-12-30 09:48:40 UTC

If you can, switch to uuid tokens. PKI tokens are flawed in several ways.

PKI tokens are deprecated by keystone, there is a known security issue

https://wiki.openstack.org/wiki/OSSN/OSSN-0062

Comment 5 Muhammad Shahid Masood 2015-12-30 14:35:27 UTC

Thanks for sharing the document related to PKI.

well i have configured keystone with UUID tokens but it have same issue with project list if i use api identity v2 and openstack keystone url v2. Changing api version to 3 and keeping openstack keystone url 2.0 (As described in the first post) solves the issue of project list whether using pki or uuid token.

Comment 6 Matthias Runge 2016-01-04 09:29:17 UTC

are you using keystone v3 feautures, like hierarchical projects?

Comment 7 Matthias Runge 2016-02-25 09:04:06 UTC

Closing this due to missing response. Feel free to re-open, when it happens again.

Note You need to log in before you can comment on or make changes to this bug.