Hi, Oh wow, for some reason my message was not sent to the list.
On 03/20/2017 09:03 PM, Evan Bollig PhD wrote: > Hey Boris, > > Any updates on this? > > Cheers, > -E > -- > Evan F. Bollig, PhD > Scientific Computing Consultant, Application Developer | Scientific > Computing Solutions (SCS) > Minnesota Supercomputing Institute | msi.umn.edu > University of Minnesota | umn.edu > boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 > > > On Thu, Mar 9, 2017 at 4:08 PM, Evan Bollig PhD <boll0...@umn.edu> wrote: >> Hey Boris, >> >> Which mapping? Hope you were looking for the shibboleth user >> mapping. Also, hope this is the right way to share the paste (first >> time using this): >> http://paste.openstack.org/show/3snCb31GRZfAuQxdRouy/ This is probably part of bug https://bugs.launchpad.net/keystone/+bug/1589993 . I am not 100% sure though. Could you please file new bugreport? As for now, you could try doing auto-provisioning using new capabilities from Ocata: https://docs.openstack.org/developer/keystone/federation/mapping_combinations.html#auto-provisioning >> Cheers, >> -E >> -- >> Evan F. Bollig, PhD >> Scientific Computing Consultant, Application Developer | Scientific >> Computing Solutions (SCS) >> Minnesota Supercomputing Institute | msi.umn.edu >> University of Minnesota | umn.edu >> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >> >> >> On Thu, Mar 9, 2017 at 7:50 AM, Boris Bobrov <bre...@cynicmansion.ru> wrote: >>> Hi, >>> >>> Please paste your mapping to paste.openstack.org >>> >>> On 03/09/2017 02:07 AM, Evan Bollig PhD wrote: >>>> I am on Ocata with Shibboleth auth enabled. I noticed that Federated >>>> users with the admin role no longer have authorization to use the >>>> Admin** panels in Horizon related to Nova, Cinder and Neutron. All >>>> regular Identity and Project tabs function, and there are no problems >>>> with authorization for local admin users. >>>> >>>> ----- >>>> These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, >>>> Defaults, Metadata, System Information >>>> >>>> These result in logout: Instances, Volumes, Networks, Routers, Floating IPs >>>> >>>> This is not present: Overview >>>> ----- >>>> >>>> The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: >>>> openstack-dashboard-11.0.0-1.el7.noarch >>>> python-django-horizon-11.0.0-1.el7.noarch >>>> python2-keystonemiddleware-4.14.0-1.el7.noarch >>>> python2-keystoneclient-3.10.0-1.el7.noarch >>>> openstack-keystone-11.0.0-1.el7.noarch >>>> python2-keystoneauth1-2.18.0-1.el7.noarch >>>> python-keystone-11.0.0-1.el7.noarch >>>> >>>> The errors I see in logs are similar to: >>>> >>>> ==> /var/log/horizon/horizon.log <== >>>> 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: >>>> Traceback (most recent call last): >>>> File >>>> "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", >>>> line 53, in get_tenant_list >>>> tenants, has_more = api.keystone.tenant_list(request) >>>> File >>>> "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>>> line 351, in tenant_list >>>> manager = VERSIONS.get_project_manager(request, admin=admin) >>>> File >>>> "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>>> line 61, in get_project_manager >>>> manager = keystoneclient(*args, **kwargs).projects >>>> File >>>> "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", >>>> line 170, in keystoneclient >>>> raise exceptions.NotAuthorized >>>> NotAuthorized >>>> >>>> Cheers, >>>> -E >>>> -- >>>> Evan F. Bollig, PhD >>>> Scientific Computing Consultant, Application Developer | Scientific >>>> Computing Solutions (SCS) >>>> Minnesota Supercomputing Institute | msi.umn.edu >>>> University of Minnesota | umn.edu >>>> boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 >>>> >>>> __________________________________________________________________________ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev