Bug 1360940

This is an issue, because there is no error message at all which is presented to the user. Even the state of https://bugzilla.redhat.com/show_bug.cgi?id=1332325  provided more useful output / information to the user.

In order to log into the dashboard again after this happens, user needs to use private browsing or delete brwoser cache

Here is the error message from horizon logs:


2016-07-27 23:22:13,237 17593 ERROR horizon.exceptions Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-cc1c5a4c-5d2e-4cb1-bb6e-f2622ce41647)
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/identity/users/views.py", line 55, in get_data
    domain=domain_context)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 310, in user_list
    users = keystoneclient(request, admin=True).users.list(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/users.py", line 108, in list
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 73, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 361, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 113, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/session.py", line 397, in request
    raise exceptions.from_response(resp, method, url)
Unauthorized: The request you have made requires authentication. (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-cc1c5a4c-5d2e-4cb1-bb6e-f2622ce41647)

Created attachment 1184840 [details]
failed login redirect

I retested in a new reproducer environment, here are the instructions to reproduce what's happening in this ticket. I will post the instructions for a downgrade and screenshots for comparison after that


========================================================================

I tested again in a lab:

How to reproduce:

1.8. Configure Identity Service

These steps prepare Identity Service for integration with AD DS.
1.8.1. Enable command line access to keystone v3

To manage Identity Service domains from the command line, you need to enable access to keystone v3. Perform this procedure from the controller running Identity Service:

1. Create a copy of the existing keystonerc_admin file:

# cp keystonerc_admin keystonerc_admin_v3

2. Edit the new keystonerc_admin_v3 file. Change OS_AUTH_URL from v2.0 to v3:

export OS_AUTH_URL=http://controllerIP:5000/v3/

Add the following entries to the bottom of keystonerc_admin_v3.

export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default

3. Enable these options for your current command line session by sourcing the file:

# source keystonerc_admin_v3

1.8.2. Configure the controller

Perform this procedure from the controller running the keystone service:

1. Configure SELinux:

# setsebool -P authlogin_nsswitch_use_ldap=on

The output might include messages similar to this. They can be ignored:

Full path required for exclude: net:[4026532245].

2. Create the domains directory:

# mkdir /etc/keystone/domains/
# chown keystone /etc/keystone/domains/

3. Configure Identity Service to use multiple back ends:

# openstack-config --set /etc/keystone/keystone.conf identity domain_specific_drivers_enabled true
# openstack-config --set /etc/keystone/keystone.conf identity domain_config_dir /etc/keystone/domains
# openstack-config --set /etc/keystone/keystone.conf assignment driver keystone.assignment.backends.sql.Assignment

Note

If you are using Red Hat OpenStack Platform director, then you will need to be aware that /etc/keystone/keystone.conf is managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the openstack overcloud deploy process. As a result, you might need to re-add this configuration manually each time. It is expected that a future release of director will include the Puppet parameters that will allow you to re-apply these settings automatically using a post-deployment script.

4. Enable multiple domains in dashboard. Add these lines to /etc/openstack-dashboard/local_settings

OPENSTACK_API_VERSIONS = {
    "identity": 3
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'

Note

If you are using Red Hat OpenStack Platform director, then you will need to be aware that /etc/openstack-dashboard/local_settings is managed by Puppet. Consequently, any custom configuration you add might be overwritten whenever you run the openstack overcloud deploy process. As a result, you might need to re-add this configuration manually each time. It is expected that a future release of director will include the Puppet parameters that will allow you to re-apply these settings automatically using a post-deployment script.

Restart the keystone and dashboard services to apply the settings:

# systemctl restart openstack-keystone.service
# systemctl restart httpd

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Use the default admin credentials from the default rc file
~~~
[stack@undercloud-6 ~]$ cat overcloudrcv3 
export OS_NO_CACHE=True
export COMPUTE_API_VERSION=1.1
export OS_USERNAME=admin
export no_proxy=,10.0.0.4
export OS_TENANT_NAME=admin
export OS_CLOUDNAME=overcloud
export OS_AUTH_URL=http://10.0.0.4:5000/v3
export NOVA_VERSION=1.1
export OS_PASSWORD=hBdNvMv4rJxu27vb2uGqxuqjz
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
~~~

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Go to Identity -> Groups

you will be logged out, can't login again - 302 redirect to the login page

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

use private browsing to login again

Created attachment 1191639 [details]
01-after-clocking-on-groups.png

Created attachment 1191640 [details]
00-brefore-clicking-on-groups.png

Created attachment 1191641 [details]
02-login-without-clear-cache

Created attachment 1191642 [details]
03-need-to-use-private-mode-to-login-again

Instructions for downgrading and reproducing from here on

(by the way, I also reproduced this exact same behavior with OSP 8 python-django-horizon-8.0.1-2.el7ost.noarch)

Sorry for not making it clear. I'm not saying that the change of behavior comes from Keystone -- it's definitely in Horizon. Apparently there was a fix that made Horizon handle Unauthorized errors properly -- that is, log out the users and let them log in again. However, since the error returned by Keystone is the same as error returned when, for instance, your session expired, I have no way of telling the two apart. I think Keystone should be returning a different error, but I need to talk about this with Keystone devs to make sure my understanding is correct.

I did create an environment and I did reproduce the error, I'm now thinking what we can do to handle it.

Created attachment 1191661 [details]
behavior with older packaes in OSP 7

So, for the above, install OSP 7 and upgrade to the latest packages. Then, follow instructions in comment 16, and you will get the behavior as within the screenshots.

Then, execute
~~~
yum downgrade python-django-horizon-2015.1.2-4.el7ost.noarch openstack-dashboard-2015.1.2-4.el7ost.noarch openstack-dashboard-theme-2015.1.2-4.el7ost.noarch
~~~

Once packages are downgraded, you will see the 'old' error message "Unauthorized: Unable to retrieve user list."

I also noticed something: the reason that users can't login anymore is likely due to the fact that on a subsequent login, they automatically log into the last page that they visited? Hense this login -> logout loop.

Also, the issue exists in OSP 8, same thing, admin user is logged out when he goes to Identity -> Users

Awesome, thanks and sorry for the misunderstanding. I hope that the additional details help. I have a reproducer environment for the day at least, if you need any additional information, let me know.

I did a little bit of research, and it turns out that mutlidomain support is only officially supported in Horizon starting with OSP9. It's definitely not supported in OSP7.

(In reply to Andreas Karis from comment #26)
> Awesome, thanks and sorry for the misunderstanding. I hope that the
> additional details help. I have a reproducer environment for the day at
> least, if you need any additional information, let me know.

In addition to comment 28, the scenario described this bug 
requires support domain scoped tokens in horizon https://bugzilla.redhat.com/show_bug.cgi?id=1287586

It seems that we can't support this kind of configuration in that version of OSP. Since there has been no answer, I think we should close this issue?

Closed
Bugs on needinfo > 30d 
Please re-open if needed.