yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93616
[Bug 2055811] [NEW] django.request Unauthorized
Public bug reported:
Hi,
I manually deployed a fresh Openstack cloud (2023.1 "Antelope") on a
freshly installed Debian 12 "Bookworm", following instructions on
https://docs.openstack.org/install-guide/openstack-
services.html#minimal-deployment-for-2023-1-antelope. I use precompiled
debian packages via extrepo with openstack_antelope enabled
(https://wiki.debian.org/OpenStack).
After installing all minimal services (Keystone, Glance, Placement,
Nova, and Neutron) and made sure there are no complains in the logs, as
well as passing verification steps for all services, I choke on setting
up Horizon.
I had to change "OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3"; %
OPENSTACK_HOST" from the instructions on /etc/openstack-
dashboard/local_settings.py into "OPENSTACK_KEYSTONE_URL =
"http://%s:5000/v3"; % OPENSTACK_HOST" to be able to login as admin user
at all. However after login, Horizon drops the session as soon as I
click on the Image tab.
Logs in /var/log/openstack-dashboard/error.log give a very long list of
Deprecation, such as:
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1587: DeprecationWarning: remove_prefixes depreca
ted without deprecated_reason or deprecated_since. This will be an error in a future release, referer: http://openstack.housealpaca.com/auth/login/
and many, many more. A few more different warnings that seem to be
related to the image, compute, metadata and identity services:
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_images": "role:adm
in or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where
using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:os-keyp
airs:index": "(rule:context_is_admin) or user_id:%(user_id)s" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the f
uture where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:servers
:detail": "rule:project_reader_or_admin" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the
intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_metadef_namespaces
": "role:admin or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the
future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_roles":
"role:reader and system_scope:all" failed scope check. The token used to make the request was domain scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intend
ed scope is required, referer: http://openstack.housealpaca.com/auth/login/
More errors with Unauthorized Django requests:
[wsgi:error] [pid 11073:tid 139780079728320] [client
192.168.73.246:34256] WARNING django.request Unauthorized:
/api/keystone/svc-catalog/, referer:
http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139780071335616] [client
192.168.73.246:34256] WARNING django.request Unauthorized:
/api/keystone/user-session/, referer:
http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139780062942912] [client
192.168.73.246:34270] WARNING django.request Unauthorized: /api/policy/,
referer: http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139779576428224] [client
192.168.73.246:34282] WARNING django.request Unauthorized: /api/policy/,
referer: http://openstack.housealpaca.com/project/images
as well as image backend issues:
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "docker" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "ova" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
Finishing with the last error:
[wsgi:error] [pid 11074:tid 139779039557312] [client 192.168.73.246:34248] INFO openstack_auth.views Logging out user ""., referer: http://openstack.housealpaca.com/project/imag
es
And effectively redirecting the browser to the login page, often with a
bunch of errors (including, but not limited to "Unauthorized,
Redirecting to login", Unable to get the Glance service version" and
"Unable to retrieve the images") and failed policy checks warnings
(several notices of "Policy check failed") shown briefly just before
redirection to Login page. In fact I had to take a screen cast and pause
it to be able to read them.
I tried to set "OPENSTACK_IMAGE_BACKEND" as suggested in
https://bugs.launchpad.net/openstack-ansible/+bug/2055415 as a hail
Marie attempt to solve the issues, but that does not prevent horizon to
loggin me out, or suppress policy checks or Django errors in the logs.
Not sure if it does remove the "OPENSTACK_IMAGE_BACKEND" errors.
In case this is relevant, here is the version of Django installed in my Debian 12 setup:
root@circinus:~# dpkg -l | grep django
ii python3-django 3:3.2.19-1+deb12u1 all High-level Python web development framework
ii python3-django-appconf 1.0.5-2 all helper class handling configuration defaults of apps - Python 3.x
ii python3-django-compressor 4.0-1 all Compresses linked, inline JS or CSS into single cached files - Python 3.x
ii python3-django-debreach 2.1.0-2 all some protection against the BREACH attack in Django - Python 3.x
ii python3-django-horizon 3:23.1.0-5~bpo12+1 all Django module providing web interaction with OpenStack
ii python3-django-pyscss 2.0.2-12 all makes it easier to use PySCSS in Django - Python 3.x
root@circinus:~#
I am at a loss to troubleshoot this issue. Maybe default policies need
to be updated? How and to what? Do you have any other pointer? Any help
is warmly appreciated.
/Nicolas
** Affects: horizon
Importance: Undecided
Status: New
** Tags: django horizon policy
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2055811
Title:
django.request Unauthorized
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Hi,
I manually deployed a fresh Openstack cloud (2023.1 "Antelope") on a
freshly installed Debian 12 "Bookworm", following instructions on
https://docs.openstack.org/install-guide/openstack-
services.html#minimal-deployment-for-2023-1-antelope. I use
precompiled debian packages via extrepo with openstack_antelope
enabled (https://wiki.debian.org/OpenStack).
After installing all minimal services (Keystone, Glance, Placement,
Nova, and Neutron) and made sure there are no complains in the logs,
as well as passing verification steps for all services, I choke on
setting up Horizon.
I had to change "OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3";
% OPENSTACK_HOST" from the instructions on /etc/openstack-
dashboard/local_settings.py into "OPENSTACK_KEYSTONE_URL =
"http://%s:5000/v3"; % OPENSTACK_HOST" to be able to login as admin
user at all. However after login, Horizon drops the session as soon as
I click on the Image tab.
Logs in /var/log/openstack-dashboard/error.log give a very long list
of Deprecation, such as:
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1587: DeprecationWarning: remove_prefixes depreca
ted without deprecated_reason or deprecated_since. This will be an error in a future release, referer: http://openstack.housealpaca.com/auth/login/
and many, many more. A few more different warnings that seem to be
related to the image, compute, metadata and identity services:
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_images": "role:adm
in or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where
using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:os-keyp
airs:index": "(rule:context_is_admin) or user_id:%(user_id)s" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the f
uture where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:servers
:detail": "rule:project_reader_or_admin" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the
intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_metadef_namespaces
": "role:admin or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the
future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/
/usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_roles":
"role:reader and system_scope:all" failed scope check. The token used to make the request was domain scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intend
ed scope is required, referer: http://openstack.housealpaca.com/auth/login/
More errors with Unauthorized Django requests:
[wsgi:error] [pid 11073:tid 139780079728320] [client
192.168.73.246:34256] WARNING django.request Unauthorized:
/api/keystone/svc-catalog/, referer:
http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139780071335616] [client
192.168.73.246:34256] WARNING django.request Unauthorized:
/api/keystone/user-session/, referer:
http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139780062942912] [client
192.168.73.246:34270] WARNING django.request Unauthorized:
/api/policy/, referer: http://openstack.housealpaca.com/project/images
[wsgi:error] [pid 11073:tid 139779576428224] [client
192.168.73.246:34282] WARNING django.request Unauthorized:
/api/policy/, referer: http://openstack.housealpaca.com/project/images
as well as image backend issues:
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "docker" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
[client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "ova" unsupported by glance, referer: http://openstack.housealpaca.com/project/images
Finishing with the last error:
[wsgi:error] [pid 11074:tid 139779039557312] [client 192.168.73.246:34248] INFO openstack_auth.views Logging out user ""., referer: http://openstack.housealpaca.com/project/imag
es
And effectively redirecting the browser to the login page, often with
a bunch of errors (including, but not limited to "Unauthorized,
Redirecting to login", Unable to get the Glance service version" and
"Unable to retrieve the images") and failed policy checks warnings
(several notices of "Policy check failed") shown briefly just before
redirection to Login page. In fact I had to take a screen cast and
pause it to be able to read them.
I tried to set "OPENSTACK_IMAGE_BACKEND" as suggested in
https://bugs.launchpad.net/openstack-ansible/+bug/2055415 as a hail
Marie attempt to solve the issues, but that does not prevent horizon
to loggin me out, or suppress policy checks or Django errors in the
logs. Not sure if it does remove the "OPENSTACK_IMAGE_BACKEND" errors.
In case this is relevant, here is the version of Django installed in my Debian 12 setup:
root@circinus:~# dpkg -l | grep django
ii python3-django 3:3.2.19-1+deb12u1 all High-level Python web development framework
ii python3-django-appconf 1.0.5-2 all helper class handling configuration defaults of apps - Python 3.x
ii python3-django-compressor 4.0-1 all Compresses linked, inline JS or CSS into single cached files - Python 3.x
ii python3-django-debreach 2.1.0-2 all some protection against the BREACH attack in Django - Python 3.x
ii python3-django-horizon 3:23.1.0-5~bpo12+1 all Django module providing web interaction with OpenStack
ii python3-django-pyscss 2.0.2-12 all makes it easier to use PySCSS in Django - Python 3.x
root@circinus:~#
I am at a loss to troubleshoot this issue. Maybe default policies need
to be updated? How and to what? Do you have any other pointer? Any
help is warmly appreciated.
/Nicolas
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2055811/+subscriptions
