I've gotten a little farther, which leads me to my next question - does the API support v3 token auth? or am I making mistakes in my manual testing?
using the CLI on local devstack 1) did not modify openrc 2) source openrc 3) openstack token issue 4) openstack congress datasource list --os-auth-type v3token --os-token ad74073300e244768e08e0d4cd73fbbd --os-auth-url http://192.168.56.101:5000/v3 --os-project-id da9a9ba573c34c18a037fd04812d81bc --debug --verbose When the python-congressclient calls the API, this is the response: RESP BODY: Policy doesn't allow get_v1 to be performed. Request returned failure status: 403 Log: http://paste.openstack.org/show/543445/ So then I called the API directly: curl -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "name": "demo", "domain": { "id": "default" }, "password": "secret" } } } } }' "http://192.168.56.101:5000/v3/auth/tokens" Response: { "token": { "issued_at": "2016-07-28T20:43:44.258137Z", "audit_ids": [ "N6tnfbI5QvyRT4xEB7pGCA" ], "methods": [ "password" ], "expires_at": "2016-07-28T21:43:44.258112Z", "user": { "domain": { "id": "default", "name": "Default" }, "id": "f2bf5189bbd7466cbecc1b1315cff3b5", "name": "demo" } } } Then: curl -X GET -H "X-Auth-Token: f2bf5189bbd7466cbecc1b1315cff3b5" -H "Cache-Control: no-cache" "http://192.168.56.101:1789/v1/data-sources" Response: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized" } } I'm feeling pretty stupid at the moment, like I've missed something obvious. Any ideas? Thanks! aimee On Fri, Jul 22, 2016 at 9:21 PM, Anusha Ramineni <anusha.ii...@gmail.com> wrote: > Hi Aimee, > > Thanks for the investigation. > > I remember testing congress client with V3 password based authentication , > which worked fine .. but never tested with token based . > > Please go ahead and fix it , if you think there is any issue . > > > On 22-Jul-2016 9:38 PM, "Aimee Ukasick" <aimeeu.opensou...@gmail.com> wrote: >> >> All - I made the change to the auth_url that Anusha suggested. >> Same problem as before " Cannot authorize API client" >> 2016-07-22 14:13:50.835861 ***** calling policies_list = >> client.list_policy()***** >> 2016-07-22 14:13:50.836062 Unable to get policies list: Cannot >> authorize API client. >> >> I used the token from the log output to query the Congress API with >> the keystone v3 token - no issues. >> curl -X GET -H "X-Auth-Token: 18ec54ac811b49aa8265c3d535ba0095" -H >> "Cache-Control: no-cache" "http://192.168.56.103:1789/v1/policies" >> >> So I really think the problem is that the python-congressclient >> doesn't support identity v3. >> I thought it did, but then I came across this: >> "support keystone v3 api and session based authentication " >> https://bugs.launchpad.net/python-congressclient/+bug/1564361 >> This is currently assigned to Anusha. >> I'd like to start work on it since I am becoming familiar with keystone >> v3. >> >> Thoughts? >> >> aimee >> >> >> >> >> On Fri, Jul 22, 2016 at 8:07 AM, Aimee Ukasick >> <aimeeu.opensou...@gmail.com> wrote: >> > Thanks Anusha! I will retest this today. I guess I need to learn more >> > about Horizon as well - thanks for pointing me in the right direction. >> > >> > aimee >> > >> > >> > >> > On Fri, Jul 22, 2016 at 6:30 AM, Anusha Ramineni >> > <anusha.ii...@gmail.com> wrote: >> >> Hi Aimee, >> >> >> >> I think devstack by default configured horizon to use v3 . >> >> For V2 authentication, from the logs , auth_url doesn't seem to be set >> >> explicitly to v2 auth_url . >> >> >> >> I have always set explicit v2 auth which worked fine. >> >> For eg:- auth_url = 'http://<host-ip>:5000/v2.0' , for V2 >> >> authentication >> >> >> >> I have raised a patch, to take the auth_url from horizon settings >> >> instead of >> >> from request. >> >> https://review.openstack.org/#/c/345828/1 >> >> >> >> Please set explict v2 auth_url as mentioned above in >> >> OPENSTACK_KESYTONE_URL >> >> in <horizon>/openstack_dashboard/local/local_settings.py and restart >> >> apache2 >> >> server . Then v2 authentication should go through fine. >> >> >> >> For v3 , need to add relevant code for v3 authentication in >> >> contrib/horizon >> >> as presently it is hardcoded to use only v2. but yes, the code from >> >> plugin >> >> model patch is still a WIP , so doesn't work for v3 authentication I >> >> guess >> >> I'll have a look at it and let you know . >> >> >> >> >> >> Best Regards, >> >> Anusha >> >> >> >> On 21 July 2016 at 21:56, Tim Hinrichs <t...@styra.com> wrote: >> >>> >> >>> So clearly an authentication problem then. >> >>> >> >>> Anusha, do you have any ideas? (Aimee, I think Anusha has worked with >> >>> Keystone authentication most recently, so she's your best bet.) >> >>> >> >>> Tim >> >>> >> >>> On Thu, Jul 21, 2016 at 8:59 AM Aimee Ukasick >> >>> <aimeeu.opensou...@gmail.com> wrote: >> >>>> >> >>>> The Policy/Data Sources web page throws the same errors. I am >> >>>> planning to recheck direct API calls using v3 auth today or tomorrow. >> >>>> >> >>>> aimee >> >>>> >> >>>> On Thu, Jul 21, 2016 at 10:49 AM, Tim Hinrichs <t...@styra.com> wrote: >> >>>> > Hi Aimee, >> >>>> > >> >>>> > Do the other APIs work? That is, is it a general problem >> >>>> > authenticating, or >> >>>> > is the problem limited to list_policies? >> >>>> > >> >>>> > Tim >> >>>> > >> >>>> > On Wed, Jul 20, 2016 at 3:54 PM Aimee Ukasick >> >>>> > <aimeeu.opensou...@gmail.com> >> >>>> > wrote: >> >>>> >> >> >>>> >> Hi all, >> >>>> >> >> >>>> >> I've been working on Policy UI (Horizon): Unable to get policies >> >>>> >> list (devstack) (https://bugs.launchpad.net/congress/+bug/1602837) >> >>>> >> for the past 3 days. Anusha is correct - it's an authentication >> >>>> >> problem, but I have not been able to fix it. >> >>>> >> >> >>>> >> I grabbed the relevant code in congress.py from Anusha's horizon >> >>>> >> plugin model patchset (https://review.openstack.org/#/c/305063/3) >> >>>> >> and >> >>>> >> added try/catch blocks, logging statements (with error because I >> >>>> >> haven't figured out how to set the horizon log level). >> >>>> >> >> >>>> >> >> >>>> >> I am testing the code on devstack, which I cloned on 19 July 2016. >> >>>> >> >> >>>> >> With both v2 and v3 auth, congressclient.v1.client is created. >> >>>> >> The failure happens trying to call >> >>>> >> congressclient.v1.client.Client.list_policies(). >> >>>> >> When using v2 auth, the error message is "Unable to get policies >> >>>> >> list: >> >>>> >> The resource could not be found" >> >>>> >> When using v3 auth, the error message is "Cannot authorize API >> >>>> >> client" >> >>>> >> >> >>>> >> I am assuming that congressclient.v1.client.Client is >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> https://github.com/openstack/python-congressclient/blob/master/congressclient/v1/client.py >> >>>> >> and that client.list_policy() calls list_policy()in the >> >>>> >> python-congressclient >> >>>> >> which in turn calls the Congress API. Is this correct? >> >>>> >> >> >>>> >> Any ideas why with v3 auth, the python-congressclient cannot >> >>>> >> authorize >> >>>> >> the >> >>>> >> call to the API? >> >>>> >> >> >>>> >> I looked at other horizon plugin models (ceilometer, neutron, >> >>>> >> nova, >> >>>> >> cerberus, cloudkitty, trove, designate, manila) to see how they >> >>>> >> created >> >>>> >> the client. While the code to create a client is not identical, >> >>>> >> it is vastly different from the code to create a client >> >>>> >> in contrib/horizon/congress.py. >> >>>> >> >> >>>> >> Thanks in advance for any pointers. >> >>>> >> >> >>>> >> aimee >> >>>> >> >> >>>> >> Aimee Ukasick (aimeeu) >> >>>> >> >> >>>> >> v2 log: >> >>>> >> 2016-07-20 22:13:56.501455 >> >>>> >> 2016-07-20 22:14:30.238233 ***** view.get_data calling policies = >> >>>> >> congress.policies_list(self.request) ***** >> >>>> >> 2016-07-20 22:14:30.238318 ***** self.request.path= >> >>>> >> /dashboard/admin/policies/ >> >>>> >> 2016-07-20 22:14:30.238352 ***** congress.policies_list(request) >> >>>> >> BEGIN***** >> >>>> >> 2016-07-20 22:14:30.238376 ***** calling client = >> >>>> >> congressclient(request)***** >> >>>> >> 2016-07-20 22:14:30.238399 ***** congress.congressclient >> >>>> >> BEGIN***** >> >>>> >> 2016-07-20 22:14:30.238454 ***** auth_url= >> >>>> >> http://192.168.56.103/identity >> >>>> >> 2016-07-20 22:14:30.238479 ***** calling get_keystone_session >> >>>> >> ***** >> >>>> >> 2016-07-20 22:14:30.238505 ***** congress.get_keystone_session >> >>>> >> BEGIN >> >>>> >> auth_url *****http://192.168.56.103/identity >> >>>> >> 2016-07-20 22:14:30.238554 ***** path= /identity >> >>>> >> 2016-07-20 22:14:30.238578 ***** using V2 plugin to >> >>>> >> authenticate***** >> >>>> >> 2016-07-20 22:14:30.238630 ***** v2 auth.get_auth_state= >> >>>> >> 2016-07-20 22:14:30.238656 None >> >>>> >> 2016-07-20 22:14:30.238677 ***** finished using V2 plugin to >> >>>> >> authenticate***** >> >>>> >> 2016-07-20 22:14:30.238698 ***** creating session with auth ***** >> >>>> >> 2016-07-20 22:14:30.244407 ***** congress.get_keystone_session >> >>>> >> END***** >> >>>> >> 2016-07-20 22:14:30.244462 ***** regtion_name= RegionOne >> >>>> >> 2016-07-20 22:14:30.244491 ***** calling >> >>>> >> congress_client.Client(**kwargs) >> >>>> >> 2016-07-20 22:14:30.247830 ***** congress.congressclient END***** >> >>>> >> 2016-07-20 22:14:30.247902 ***** calling policies_list = >> >>>> >> client.list_policy()***** >> >>>> >> 2016-07-20 22:14:30.248012 DEBUG:keystoneauth.identity.v2:Making >> >>>> >> authentication request to http://192.168.56.103/identity/tokens >> >>>> >> 2016-07-20 22:14:30.255023 DEBUG:keystoneauth.session:Request >> >>>> >> returned >> >>>> >> failure status: 404 >> >>>> >> 2016-07-20 22:14:30.257546 Unable to get policies list: The >> >>>> >> resource >> >>>> >> could not be found. >> >>>> >> >> >>>> >> >> >>>> >> v3 log: >> >>>> >> 2016-07-20 22:09:22.912969 >> >>>> >> 2016-07-20 22:09:31.907119 ***** view.get_data calling policies = >> >>>> >> congress.policies_list(self.request) ***** >> >>>> >> 2016-07-20 22:09:31.907973 ***** self.request.path= >> >>>> >> /dashboard/admin/policies/ >> >>>> >> 2016-07-20 22:09:31.908122 ***** congress.policies_list(request) >> >>>> >> BEGIN***** >> >>>> >> 2016-07-20 22:09:31.908250 ***** calling client = >> >>>> >> congressclient(request)***** >> >>>> >> 2016-07-20 22:09:31.908386 ***** congress.congressclient >> >>>> >> BEGIN***** >> >>>> >> 2016-07-20 22:09:31.909034 ***** auth_url= >> >>>> >> http://192.168.56.103/identity >> >>>> >> 2016-07-20 22:09:31.909217 ***** calling get_keystone_session >> >>>> >> ***** >> >>>> >> 2016-07-20 22:09:31.909356 ***** congress.get_keystone_session >> >>>> >> BEGIN >> >>>> >> auth_url *****http://192.168.56.103/identity >> >>>> >> 2016-07-20 22:09:31.909527 ***** path= /identity >> >>>> >> 2016-07-20 22:09:31.909795 ***** using V3 plugin to >> >>>> >> authenticate***** >> >>>> >> 2016-07-20 22:09:31.910042 auth_url=http://192.168.56.103/identity >> >>>> >> 2016-07-20 22:09:31.910175 token=d46339f2d0b5455db54909d6ed95a9cc >> >>>> >> 2016-07-20 22:09:31.910301 project_name=alt_demo >> >>>> >> 2016-07-20 22:09:31.910426 domain_name=Default >> >>>> >> 2016-07-20 22:09:31.910676 project_domain_name=default >> >>>> >> 2016-07-20 22:09:31.910866 ***** v3 auth.get_auth_state= >> >>>> >> 2016-07-20 22:09:31.910992 None >> >>>> >> 2016-07-20 22:09:31.914053 ***** finished using V3 plugin to >> >>>> >> authenticate***** >> >>>> >> 2016-07-20 22:09:31.914100 ***** creating session with auth ***** >> >>>> >> 2016-07-20 22:09:31.922260 ***** congress.get_keystone_session >> >>>> >> END***** >> >>>> >> 2016-07-20 22:09:31.922542 ***** regtion_name= RegionOne >> >>>> >> 2016-07-20 22:09:31.922676 ***** calling >> >>>> >> congress_client.Client(**kwargs) >> >>>> >> 2016-07-20 22:09:31.922822 ***** congress.congressclient END***** >> >>>> >> 2016-07-20 22:09:31.922949 ***** calling policies_list = >> >>>> >> client.list_policy()***** >> >>>> >> 2016-07-20 22:09:31.924732 Unable to get policies list: Cannot >> >>>> >> authorize API client. >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> __________________________________________________________________________ >> >>>> >> OpenStack Development Mailing List (not for usage questions) >> >>>> >> Unsubscribe: >> >>>> >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> >>>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> > __________________________________________________________________________ >> >>>> > OpenStack Development Mailing List (not for usage questions) >> >>>> > Unsubscribe: >> >>>> > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>>> > >> >>>> >> >>>> >> >>>> >> >>>> __________________________________________________________________________ >> >>>> OpenStack Development Mailing List (not for usage questions) >> >>>> Unsubscribe: >> >>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>> >> >>> >> >>> >> >>> __________________________________________________________________________ >> >>> OpenStack Development Mailing List (not for usage questions) >> >>> Unsubscribe: >> >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >>> >> >> >> >> >> >> >> >> __________________________________________________________________________ >> >> OpenStack Development Mailing List (not for usage questions) >> >> Unsubscribe: >> >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev