yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1638662] Re: "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1638662@xxxxxxxxxxxxxxxxxx>
Date: Mon, 07 Nov 2016 07:45:52 -0000
Reply-to: Bug 1638662 <1638662@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/392944
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=55baf9254d78de2c6e409156e6649875cb7797e3
Submitter: Jenkins
Branch:    master

commit 55baf9254d78de2c6e409156e6649875cb7797e3
Author: Kam Nasim <kam.nasim@xxxxxxxxxxxxx>
Date:   Wed Nov 2 19:34:40 2016 +0000

    "Unable to retrieve Domain" incessant warning logs
    
    "openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
    incessant warning logging when switching Projects while being on the
    Identity>Project panel.
    
    Retrieving domain information is a Keystone admin URL operation. As a
    pre-check, such operations would be Forbidden if the logon user does not
    have an 'admin' role on the current project.
    
    Since this is a common occurence, and can cause incessant warning
    logging in the horizon logs, we recognize this condition and return the
    user's domain information instead.
    
    Signed-off-by: Kam Nasim <kam.nasim@xxxxxxxxxxxxx>
    
    Closes-Bug: #1638662
    Change-Id: Iadd5184a16a73da1da5a7230c89e996248f1eba7


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1638662

Title:
  "openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
  incessant warning logging when switching Projects while being on the
  Identity>Project panel

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  ==== REPRODUCTION ====
  One scenario in horizon where we shall get the "Unable to retrieve Domain: default" incessant logging: 
  1. Login to horizon as admin 
  2. Select Identity - Projects panel and switch Projects
  Cancel 
  3. Remain on the Identity - Projects panel
  Result 
  horizon log shows the following warnings, logged at a cadence of 6 seconds...

  
  2016-08-17 20:23:06,128 [INFO] openstack_auth.views: Project switch successful for user "admin" "128.224.141.74". 
  2016-08-17 20:23:06,156 [INFO] openstack_auth.views: Deleted token db95cc356ca54ea5b3a7bd39a6ec6806 
  2016-08-17 20:23:06,416 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:11,917 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:17,153 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:22,430 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:27,670 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:32,993 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 
  2016-08-17 20:23:38,248 [WARNING] openstack_dashboard.api.keystone: Unable to retrieve Domain: default 

  
  ==== ANALYSIS ====
  Further investigation reveals that the horizon error log (unable to retrieve domain) when switching Projects is because the admin user does NOT have an admin role on this new project (tenant1): 

  {'username': u'admin', 'token': <openstack_auth.user.Token object at
  0x7f9e86f0d0d0>, 'project_name': u'tenant1', 'user_id':
  u'c118176de885401c97314e0d6da8e786', 'roles': [u'_member_'],
  'is_admin': False, 'project_id': u'fe71d23184764a25b10d367fd4ed18a1',
  'domain_id': u'default'}

  In Identity V3, all Keystone operations can be done over the
  internalURL with the exception of domain specific operations, which
  still go over the adminURL. Therefore Horizon calls Keystone's RBAC
  policy to ensure that this logged in user has the "admin" role on this
  project, and if so then use the adminURL. This is not true and
  therefore we get that incessant log error. When I disable RBAC policy
  enforcement at Horizon, and Horizon makes the call out to Keystone
  server, for domain information, it does so using the internalURL which
  Keystone server rejects.

  Therefore the Horizon code that re-renders the Identity > Project
  panel needs to account for this scnenario, i.e. "if the Horizon
  session does NOT have a domain context, and if the logged in user does
  NOT have an admin role on the current project, then DO NOT attempt to
  get the domain from Keystone, but instead use the logged in user's
  domain and assume it to be the same as the project domain"

  A new debug log will be added to indicate this scenario: 
  2016-10-31 21:31:20,267 [DEBUG] openstack_dashboard.api.keystone: Cannot retrieve domain information for user (admin) that does not have an admin role on project (tenant2)

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1638662/+subscriptions

References

[Bug 1638662] [NEW] "openstack_dashboard.api.keystone: Unable to retrieve Domain: default" incessant warning logging when switching Projects while being on the Identity>Project panel
From: Kam Nasim, 2016-11-02