yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1638662] [NEW] "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kam Nasim <1638662@xxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Nov 2016 18:17:21 -0000
Reply-to: Bug 1638662 <1638662@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

==== REPRODUCTION ====
One scenario in horizon where we shall get the "Unable to retrieve Domain: default" incessant logging: 
1. Login to horizon as admin 
2. Select Identity - Projects panel and switch Projects
Cancel 
3. Remain on the Identity - Projects panel
Result 
horizon log shows the following warnings, logged at a cadence of 6 seconds...


2016-08-17 20:23:06,128 [INFO] openstack_auth.views: Project switch successful for user "admin" "128.224.141.74". 
2016-08-17 20:23:06,156 [INFO] openstack_auth.views: Deleted token db95cc356ca54ea5b3a7bd39a6ec6806 
2016-08-17 20:23:06,416 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:11,917 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:17,153 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:22,430 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:27,670 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:32,993 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
2016-08-17 20:23:38,248 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 


==== ANALYSIS ====
Further investigation reveals that the horizon error log (unable to retrieve domain) when switching Projects is because the admin user does NOT have an admin role on this new project (tenant1): 

{'username': u'admin', 'token': <openstack_auth.user.Token object at
0x7f9e86f0d0d0>, 'project_name': u'tenant1', 'user_id':
u'c118176de885401c97314e0d6da8e786', 'roles': [u'_member_'], 'is_admin':
False, 'project_id': u'fe71d23184764a25b10d367fd4ed18a1', 'domain_id':
u'default'}

In Identity V3, all Keystone operations can be done over the internalURL
with the exception of domain specific operations, which still go over
the adminURL. Therefore Horizon calls Keystone's RBAC policy to ensure
that this logged in user has the "admin" role on this project, and if so
then use the adminURL. This is not true and therefore we get that
incessant log error. When I disable RBAC policy enforcement at Horizon,
and Horizon makes the call out to Keystone server, for domain
information, it does so using the internalURL which Keystone server
rejects.

Therefore the Horizon code that re-renders the Identity > Project panel
needs to account for this scnenario, i.e. "if the Horizon session does
NOT have a domain context, and if the logged in user does NOT have an
admin role on the current project, then DO NOT attempt to get the domain
from Keystone, but instead use the logged in user's domain and assume it
to be the same as the project domain"

A new debug log will be added to indicate this scenario: 
2016-10-31 21:31:20,267 [DEBUG] openstack_dashboard.api.keystone: Cannot retrieve domain information for user (admin) that does not have an admin role on project (tenant2)

** Affects: horizon
     Importance: Undecided
     Assignee: Kam Nasim (knasim-wrs)
         Status: New

** Changed in: horizon
     Assignee: (unassigned) => Kam Nasim (knasim-wrs)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1638662

Title:
  "openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
  incessant warning logging when switching Projects while being on the
  Identity>Project panel

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  ==== REPRODUCTION ====
  One scenario in horizon where we shall get the "Unable to retrieve Domain: default" incessant logging: 
  1. Login to horizon as admin 
  2. Select Identity - Projects panel and switch Projects
  Cancel 
  3. Remain on the Identity - Projects panel
  Result 
  horizon log shows the following warnings, logged at a cadence of 6 seconds...

  
  2016-08-17 20:23:06,128 [INFO] openstack_auth.views: Project switch successful for user "admin" "128.224.141.74". 
  2016-08-17 20:23:06,156 [INFO] openstack_auth.views: Deleted token db95cc356ca54ea5b3a7bd39a6ec6806 
  2016-08-17 20:23:06,416 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:11,917 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:17,153 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:22,430 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:27,670 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:32,993 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:38,248 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 

  
  ==== ANALYSIS ====
  Further investigation reveals that the horizon error log (unable to retrieve domain) when switching Projects is because the admin user does NOT have an admin role on this new project (tenant1): 

  {'username': u'admin', 'token': <openstack_auth.user.Token object at
  0x7f9e86f0d0d0>, 'project_name': u'tenant1', 'user_id':
  u'c118176de885401c97314e0d6da8e786', 'roles': [u'_member_'],
  'is_admin': False, 'project_id': u'fe71d23184764a25b10d367fd4ed18a1',
  'domain_id': u'default'}

  In Identity V3, all Keystone operations can be done over the
  internalURL with the exception of domain specific operations, which
  still go over the adminURL. Therefore Horizon calls Keystone's RBAC
  policy to ensure that this logged in user has the "admin" role on this
  project, and if so then use the adminURL. This is not true and
  therefore we get that incessant log error. When I disable RBAC policy
  enforcement at Horizon, and Horizon makes the call out to Keystone
  server, for domain information, it does so using the internalURL which
  Keystone server rejects.

  Therefore the Horizon code that re-renders the Identity > Project
  panel needs to account for this scnenario, i.e. "if the Horizon
  session does NOT have a domain context, and if the logged in user does
  NOT have an admin role on the current project, then DO NOT attempt to
  get the domain from Keystone, but instead use the logged in user's
  domain and assume it to be the same as the project domain"

  A new debug log will be added to indicate this scenario: 
  2016-10-31 21:31:20,267 [DEBUG] openstack_dashboard.api.keystone: Cannot retrieve domain information for user (admin) that does not have an admin role on project (tenant2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1638662/+subscriptions
Follow ups

[Bug 1638662] Re: "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel
From: OpenStack Infra, 2016-11-07