Hi Greg, Can you revisit your policy configuration and try again?
See here: http://git.openstack.org/cgit/openstack/magnum/plain/etc/magnum/policy.json?h=stable/newton Cheers, Spyros On 22 September 2017 at 13:49, Waines, Greg <[email protected]> wrote: > Just another note on this ... > > > > We have > > · setup a ‘magnum’ domain, and > > · setup a ‘trustee_domain_admin’ user within that domain, and > > · gave that user and domain the admin role, and ß actually not > 100% sure about this > > · referenced these items in magnum.conf > > o i.e. trustee_domain_name, trustee_domain_admin_name, > trustee_domain_admin_password > > > > ... but still seeing the trust_domain_id issue in the admin context (see > email below). > > > > let me know if anyone has some ideas on issue or next steps to look at, > > Greg. > > > > > > From: Greg Waines <[email protected]> > Reply-To: "[email protected]" > <[email protected]> > Date: Wednesday, September 20, 2017 at 12:20 PM > To: "[email protected]" <[email protected]> > Cc: "Sun, Yicheng (Jerry)" <[email protected]> > Subject: [openstack-dev] [magnum] issue with > admin_osc.keystone().trustee_domain_id > > > > We are in the process of integrating MAGNUM into our OpenStack distribution. > > We are working with NEWTON version of MAGNUM. > > We have the MAGNUM processes up and running and configured. > > > > However we are seeing the following error (see stack trace below) on > virtually all MAGNUM CLI calls. > > > > The code where the stack trace is triggered: > > def add_policy_attributes(target): > > """Adds extra information for policy enforcement to raw target object""" > > admin_context = context.make_admin_context() > > admin_osc = clients.OpenStackClients(admin_context) > > trustee_domain_id = admin_osc.keystone().trustee_domain_id > > target['trustee_domain_id'] = trustee_domain_id > > return target > > > > ( NOTE: that this code was introduced upstream as part of a fix for > CVE-2016-7404: > > https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14 > ) > > > > Stack Trace: > > File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in > callfunction > > result = f(self, *args, **kwargs) > > > > File "<string>", line 2, in get_all > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130, > in wrapper > > exc=exception.PolicyNotAuthorized, action=action) > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97, > in enforce > > # add_policy_attributes(target) > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106, > in add_policy_attributes > > trustee_domain_id = admin_osc.keystone().trustee_domain_id > > > > File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line > 237, in trustee_domain_id > > self.domain_admin_session > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", > line 136, in get_access > > self.auth_ref = self.get_auth_ref(session) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", > line 167, in get_auth_ref > > authenticated=False, log=False, **rkwargs) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line > 681, in post > > return self.request(url, 'POST', **kwargs) > > > > File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, > in inner > > return wrapped(*args, **kwargs) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line > 570, in request > > raise exceptions.from_response(resp, method, url) > > > > NotFound: The resource could not be found. (HTTP 404) > > > > > > Any ideas on what our issue could be ? > > Or next steps to investigate ? > > > > thanks in advance, > > Greg. > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
