Re: [openstack-dev] [magnum] issue with admin_osc.keystone().trustee_domain_id
Hi Greg, Can you revisit your policy configuration and try again? See here: http://git.openstack.org/cgit/openstack/magnum/plain/etc/magnum/policy.json?h=stable/newton Cheers, Spyros On 22 September 2017 at 13:49, Waines, Greg <greg.wai...@windriver.com> wrote: > Just another note on this ... > > > > We have > > · setup a ‘magnum’ domain, and > > · setup a ‘trustee_domain_admin’ user within that domain, and > > · gave that user and domain the admin role, and ß actually not > 100% sure about this > > · referenced these items in magnum.conf > > oi.e. trustee_domain_name, trustee_domain_admin_name, > trustee_domain_admin_password > > > > ... but still seeing the trust_domain_id issue in the admin context (see > email below). > > > > let me know if anyone has some ideas on issue or next steps to look at, > > Greg. > > > > > > From: Greg Waines <greg.wai...@windriver.com> > Reply-To: "openstack-dev@lists.openstack.org" > <openstack-dev@lists.openstack.org> > Date: Wednesday, September 20, 2017 at 12:20 PM > To: "openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org> > Cc: "Sun, Yicheng (Jerry)" <jerry@windriver.com> > Subject: [openstack-dev] [magnum] issue with > admin_osc.keystone().trustee_domain_id > > > > We are in the process of integrating MAGNUM into our OpenStack distribution. > > We are working with NEWTON version of MAGNUM. > > We have the MAGNUM processes up and running and configured. > > > > However we are seeing the following error (see stack trace below) on > virtually all MAGNUM CLI calls. > > > > The code where the stack trace is triggered: > > def add_policy_attributes(target): > > """Adds extra information for policy enforcement to raw target object""" > > admin_context = context.make_admin_context() > > admin_osc = clients.OpenStackClients(admin_context) > > trustee_domain_id = admin_osc.keystone().trustee_domain_id > > target['trustee_domain_id'] = trustee_domain_id > > return target > > > > ( NOTE: that this code was introduced upstream as part of a fix for > CVE-2016-7404: > > https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14 > ) > > > > Stack Trace: > > File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in > callfunction > > result = f(self, *args, **kwargs) > > > > File "", line 2, in get_all > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130, > in wrapper > > exc=exception.PolicyNotAuthorized, action=action) > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97, > in enforce > > #add_policy_attributes(target) > > > > File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106, > in add_policy_attributes > > trustee_domain_id = admin_osc.keystone().trustee_domain_id > > > > File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line > 237, in trustee_domain_id > > self.domain_admin_session > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", > line 136, in get_access > > self.auth_ref = self.get_auth_ref(session) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", > line 167, in get_auth_ref > > authenticated=False, log=False, **rkwargs) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line > 681, in post > > return self.request(url, 'POST', **kwargs) > > > > File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, > in inner > > return wrapped(*args, **kwargs) > > > > File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line > 570, in request > > raise exceptions.from_response(resp, method, url) > > > > NotFound: The resource could not be found. (HTTP 404) > > > > > > Any ideas on what our issue could be ? > > Or next steps to investigate ? > > > > thanks in advance, > > Greg. > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [magnum] issue with admin_osc.keystone().trustee_domain_id
Just another note on this ... We have · setup a ‘magnum’ domain, and · setup a ‘trustee_domain_admin’ user within that domain, and · gave that user and domain the admin role, and <-- actually not 100% sure about this · referenced these items in magnum.conf oi.e. trustee_domain_name, trustee_domain_admin_name, trustee_domain_admin_password ... but still seeing the trust_domain_id issue in the admin context (see email below). let me know if anyone has some ideas on issue or next steps to look at, Greg. From: Greg Waines <greg.wai...@windriver.com> Reply-To: "openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org> Date: Wednesday, September 20, 2017 at 12:20 PM To: "openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org> Cc: "Sun, Yicheng (Jerry)" <jerry@windriver.com> Subject: [openstack-dev] [magnum] issue with admin_osc.keystone().trustee_domain_id We are in the process of integrating MAGNUM into our OpenStack distribution. We are working with NEWTON version of MAGNUM. We have the MAGNUM processes up and running and configured. However we are seeing the following error (see stack trace below) on virtually all MAGNUM CLI calls. The code where the stack trace is triggered: def add_policy_attributes(target): """Adds extra information for policy enforcement to raw target object""" admin_context = context.make_admin_context() admin_osc = clients.OpenStackClients(admin_context) trustee_domain_id = admin_osc.keystone().trustee_domain_id target['trustee_domain_id'] = trustee_domain_id return target ( NOTE: that this code was introduced upstream as part of a fix for CVE-2016-7404: https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14 ) Stack Trace: File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in callfunction result = f(self, *args, **kwargs) File "", line 2, in get_all File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130, in wrapper exc=exception.PolicyNotAuthorized, action=action) File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97, in enforce #add_policy_attributes(target) File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106, in add_policy_attributes trustee_domain_id = admin_osc.keystone().trustee_domain_id File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line 237, in trustee_domain_id self.domain_admin_session File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access self.auth_ref = self.get_auth_ref(session) File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref authenticated=False, log=False, **rkwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 681, in post return self.request(url, 'POST', **kwargs) File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner return wrapped(*args, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 570, in request raise exceptions.from_response(resp, method, url) NotFound: The resource could not be found. (HTTP 404) Any ideas on what our issue could be ? Or next steps to investigate ? thanks in advance, Greg. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [magnum] issue with admin_osc.keystone().trustee_domain_id
We are in the process of integrating MAGNUM into our OpenStack distribution. We are working with NEWTON version of MAGNUM. We have the MAGNUM processes up and running and configured. However we are seeing the following error (see stack trace below) on virtually all MAGNUM CLI calls. The code where the stack trace is triggered: def add_policy_attributes(target): """Adds extra information for policy enforcement to raw target object""" admin_context = context.make_admin_context() admin_osc = clients.OpenStackClients(admin_context) trustee_domain_id = admin_osc.keystone().trustee_domain_id target['trustee_domain_id'] = trustee_domain_id return target ( NOTE: that this code was introduced upstream as part of a fix for CVE-2016-7404: https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14 ) Stack Trace: File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in callfunction result = f(self, *args, **kwargs) File "", line 2, in get_all File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130, in wrapper exc=exception.PolicyNotAuthorized, action=action) File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97, in enforce #add_policy_attributes(target) File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106, in add_policy_attributes trustee_domain_id = admin_osc.keystone().trustee_domain_id File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line 237, in trustee_domain_id self.domain_admin_session File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access self.auth_ref = self.get_auth_ref(session) File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref authenticated=False, log=False, **rkwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 681, in post return self.request(url, 'POST', **kwargs) File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner return wrapped(*args, **kwargs) File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 570, in request raise exceptions.from_response(resp, method, url) NotFound: The resource could not be found. (HTTP 404) Any ideas on what our issue could be ? Or next steps to investigate ? thanks in advance, Greg. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
