Mailing List Archive

Hi,

what is your current horizon configuration?

control:~ # grep KEYSTONE_URL
/srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST

Maybe this still configured to v2?

Regards,
Eugen


Zitat von Davide Panarese <dpanarese@enter.eu>:

> Goodmorning every one,
> i'm finally approaching migration to keystone v3 but i want to
> maintain keystone v2 compatibility for all users that have custom
> scripts for authentication to our openstack.
> Migration seems to be pretty simple, change endpoint direct into
> database changing http://keystone:5000/v2.0 to http://keystone:5000
> <http://keystone:5000/>; Openstack client have the capability to add
> /v2.0 or /v3 at the end of url retrieved from catalog.
> But i'm stuck with horizon dashboard, login works but compute
> information are not available and error log show:
> “ Forbidden: You are not authorized to perform the requested action:
> rescope a scoped token. (HTTP 403)"
> All other tabs works properly.
> I think that is a keystone issue but i don't understand why with
> openstack client works perfectly and with horizon not.
> Anyone can explain what i missed in migration?
>
> Thanks a lot,
> Davide Panarese




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

@Paul
Yes keystone:5000 is my endpoint.

@Eugen
OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3>" % OPENSTACK_HOST

Still not working.


Davide Panarese


> On 28 Sep 2018, at 13:50, Eugen Block <eblock@nde.ag> wrote:
>
> Hi,
>
> what is your current horizon configuration?
>
> control:~ # grep KEYSTONE_URL /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
>
> Maybe this still configured to v2?
>
> Regards,
> Eugen
>
>
> Zitat von Davide Panarese <dpanarese@enter.eu>:
>
>> Goodmorning every one,
>> i'm finally approaching migration to keystone v3 but i want to maintain keystone v2 compatibility for all users that have custom scripts for authentication to our openstack.
>> Migration seems to be pretty simple, change endpoint direct into database changing http://keystone:5000/v2.0 to http://keystone:5000 <http://keystone:5000/>; Openstack client have the capability to add /v2.0 or /v3 at the end of url retrieved from catalog.
>> But i'm stuck with horizon dashboard, login works but compute information are not available and error log show:
>> “ Forbidden: You are not authorized to perform the requested action: rescope a scoped token. (HTTP 403)"
>> All other tabs works properly.
>> I think that is a keystone issue but i don't understand why with openstack client works perfectly and with horizon not.
>> Anyone can explain what i missed in migration?
>>
>> Thanks a lot,
>> Davide Panarese
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A
>
>

Since nova-compute reports that failure, what is your auth_url in
/etc/nova/nova.conf in the [placement] section?



Zitat von Davide Panarese <dpanarese@enter.eu>:

> @Paul
> Yes keystone:5000 is my endpoint.
>
> @Eugen
> OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3>" % OPENSTACK_HOST
>
> Still not working.
>
>
> Davide Panarese
>
>
>> On 28 Sep 2018, at 13:50, Eugen Block <eblock@nde.ag> wrote:
>>
>> Hi,
>>
>> what is your current horizon configuration?
>>
>> control:~ # grep KEYSTONE_URL
>> /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
>>
>> Maybe this still configured to v2?
>>
>> Regards,
>> Eugen
>>
>>
>> Zitat von Davide Panarese <dpanarese@enter.eu>:
>>
>>> Goodmorning every one,
>>> i'm finally approaching migration to keystone v3 but i want to
>>> maintain keystone v2 compatibility for all users that have custom
>>> scripts for authentication to our openstack.
>>> Migration seems to be pretty simple, change endpoint direct into
>>> database changing http://keystone:5000/v2.0 to
>>> http://keystone:5000 <http://keystone:5000/>; Openstack client
>>> have the capability to add /v2.0 or /v3 at the end of url
>>> retrieved from catalog.
>>> But i'm stuck with horizon dashboard, login works but compute
>>> information are not available and error log show:
>>> “ Forbidden: You are not authorized to perform the requested
>>> action: rescope a scoped token. (HTTP 403)"
>>> All other tabs works properly.
>>> I think that is a keystone issue but i don't understand why with
>>> openstack client works perfectly and with horizon not.
>>> Anyone can explain what i missed in migration?
>>>
>>> Thanks a lot,
>>> Davide Panarese
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> --
>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato
>> non infetto.
>> Seguire il link qui sotto per segnalarlo come
>> spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A
>>
>>




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

It’s not nova-compute that report the issue but keystone authentication on computing tab.
As I said before, openstack cli working properly with all services, nova included.



Davide Panarese
Cloud & Solution Architect

Enter | The open network and cloud provider

Via privata Stefanardo da Vimercate, 28
20128 Milano
enter.eu

Mobile: +39 3386369591
Phone: +39 02 25514 837

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

> On 28 Sep 2018, at 14:52, Eugen Block <eblock@nde.ag> wrote:
>
> Since nova-compute reports that failure, what is your auth_url in /etc/nova/nova.conf in the [placement] section?
>
>
>
> Zitat von Davide Panarese <dpanarese@enter.eu>:
>
>> @Paul
>> Yes keystone:5000 is my endpoint.
>>
>> @Eugen
>> OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3>" % OPENSTACK_HOST
>>
>> Still not working.
>>
>>
>> Davide Panarese
>>
>>
>>> On 28 Sep 2018, at 13:50, Eugen Block <eblock@nde.ag> wrote:
>>>
>>> Hi,
>>>
>>> what is your current horizon configuration?
>>>
>>> control:~ # grep KEYSTONE_URL /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
>>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
>>>
>>> Maybe this still configured to v2?
>>>
>>> Regards,
>>> Eugen
>>>
>>>
>>> Zitat von Davide Panarese <dpanarese@enter.eu>:
>>>
>>>> Goodmorning every one,
>>>> i'm finally approaching migration to keystone v3 but i want to maintain keystone v2 compatibility for all users that have custom scripts for authentication to our openstack.
>>>> Migration seems to be pretty simple, change endpoint direct into database changing http://keystone:5000/v2.0 to http://keystone:5000 <http://keystone:5000/>; Openstack client have the capability to add /v2.0 or /v3 at the end of url retrieved from catalog.
>>>> But i'm stuck with horizon dashboard, login works but compute information are not available and error log show:
>>>> “ Forbidden: You are not authorized to perform the requested action: rescope a scoped token. (HTTP 403)"
>>>> All other tabs works properly.
>>>> I think that is a keystone issue but i don't understand why with openstack client works perfectly and with horizon not.
>>>> Anyone can explain what i missed in migration?
>>>>
>>>> Thanks a lot,
>>>> Davide Panarese
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to : openstack@lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>> --
>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
>>> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A
>>>
>>>
>
>
>
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74
>
>

Add yourself as an admin of the domain. I think it uses a domain scored
token for that tab. In V2 you would have only been admin of a project.

-Erik

On Fri, Sep 28, 2018, 11:47 AM Davide Panarese <dpanarese@enter.eu> wrote:

> It’s not nova-compute that report the issue but keystone authentication on
> computing tab.
> As I said before, openstack cli working properly with all services, nova
> included.
>
>
>
> *Davide Panarese*
> Cloud & Solution Architect
>
> *Enter | The open network and cloud provider*
>
> Via privata Stefanardo da Vimercate, 28
> 20128 Milano
> enter.eu
>
> Mobile: +39 3386369591
> Phone: +39 02 25514 837
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.
>
> On 28 Sep 2018, at 14:52, Eugen Block <eblock@nde.ag> wrote:
>
> Since nova-compute reports that failure, what is your auth_url in
> /etc/nova/nova.conf in the [placement] section?
>
>
>
> Zitat von Davide Panarese <dpanarese@enter.eu>:
>
> @Paul
> Yes keystone:5000 is my endpoint.
>
> @Eugen
> OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3>" % OPENSTACK_HOST
>
> Still not working.
>
>
> Davide Panarese
>
>
> On 28 Sep 2018, at 13:50, Eugen Block <eblock@nde.ag> wrote:
>
> Hi,
>
> what is your current horizon configuration?
>
> control:~ # grep KEYSTONE_URL
> /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
>
> Maybe this still configured to v2?
>
> Regards,
> Eugen
>
>
> Zitat von Davide Panarese <dpanarese@enter.eu>:
>
> Goodmorning every one,
> i'm finally approaching migration to keystone v3 but i want to maintain
> keystone v2 compatibility for all users that have custom scripts for
> authentication to our openstack.
> Migration seems to be pretty simple, change endpoint direct into database
> changing http://keystone:5000/v2.0 to http://keystone:5000 <
> http://keystone:5000/>; Openstack client have the capability to add /v2.0
> or /v3 at the end of url retrieved from catalog.
> But i'm stuck with horizon dashboard, login works but compute information
> are not available and error log show:
> “ Forbidden: You are not authorized to perform the requested action:
> rescope a scoped token. (HTTP 403)"
> All other tabs works properly.
> I think that is a keystone issue but i don't understand why with openstack
> client works perfectly and with horizon not.
> Anyone can explain what i missed in migration?
>
> Thanks a lot,
> Davide Panarese
>
>
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non
> infetto.
> Seguire il link qui sotto per segnalarlo come spam:
> http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A
>
>
>
>
>
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non
> infetto.
> Seguire il link qui sotto per segnalarlo come spam:
> http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>

I found the source of the issue.
Into keystone configuration I set allow_rescope_scoped_token to false. Setting true this value horizon compute tab works.

But now the question is:
Why horizon try to rescope authentication token only for compute information?

Thanks

Davide Panarese
Cloud & Solution Architect

Enter | The open network and cloud provider

Via privata Stefanardo da Vimercate, 28
20128 Milano
enter.eu

Mobile: +39 3386369591
Phone: +39 02 25514 837

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

> On 28 Sep 2018, at 20:28, Erik McCormick <emccormick@cirrusseven.com> wrote:
>
> Add yourself as an admin of the domain. I think it uses a domain scored token for that tab. In V2 you would have only been admin of a project.
>
> -Erik
>
> On Fri, Sep 28, 2018, 11:47 AM Davide Panarese <dpanarese@enter.eu <mailto:dpanarese@enter.eu>> wrote:
> It’s not nova-compute that report the issue but keystone authentication on computing tab.
> As I said before, openstack cli working properly with all services, nova included.
>
>
>
> Davide Panarese
> Cloud & Solution Architect
>
> Enter | The open network and cloud provider
>
> Via privata Stefanardo da Vimercate, 28
> 20128 Milano
> enter.eu <http://enter.eu/>
>
> Mobile: +39 3386369591
> Phone: +39 02 25514 837
>
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
>
>> On 28 Sep 2018, at 14:52, Eugen Block <eblock@nde.ag <mailto:eblock@nde.ag>> wrote:
>>
>> Since nova-compute reports that failure, what is your auth_url in /etc/nova/nova.conf in the [placement] section?
>>
>>
>>
>> Zitat von Davide Panarese <dpanarese@enter.eu <mailto:dpanarese@enter.eu>>:
>>
>>> @Paul
>>> Yes keystone:5000 is my endpoint.
>>>
>>> @Eugen
>>> OPENSTACK_KEYSTONE_URL = "http://%s/v3 <http://%s/v3> <http://%s/v3 <http://%s/v3>>" % OPENSTACK_HOST
>>>
>>> Still not working.
>>>
>>>
>>> Davide Panarese
>>>
>>>
>>>> On 28 Sep 2018, at 13:50, Eugen Block <eblock@nde.ag <mailto:eblock@nde.ag>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> what is your current horizon configuration?
>>>>
>>>> control:~ # grep KEYSTONE_URL /srv/www/openstack-dashboard/openstack_dashboard/local/local_settings.py
>>>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3 <http://%s:5000/v3>" % OPENSTACK_HOST
>>>>
>>>> Maybe this still configured to v2?
>>>>
>>>> Regards,
>>>> Eugen
>>>>
>>>>
>>>> Zitat von Davide Panarese <dpanarese@enter.eu <mailto:dpanarese@enter.eu>>:
>>>>
>>>>> Goodmorning every one,
>>>>> i'm finally approaching migration to keystone v3 but i want to maintain keystone v2 compatibility for all users that have custom scripts for authentication to our openstack.
>>>>> Migration seems to be pretty simple, change endpoint direct into database changing MailScanner ha rilevato un possibile tentativo di frode proveniente da "keystone:5000" http://keystone:5000/v2.0 <http://keystone:5000/v2.0> to http://keystone:5000 <http://keystone:5000/> <http://keystone:5000/ <http://keystone:5000/>>; Openstack client have the capability to add /v2.0 or /v3 at the end of url retrieved from catalog.
>>>>> But i'm stuck with horizon dashboard, login works but compute information are not available and error log show:
>>>>> “ Forbidden: You are not authorized to perform the requested action: rescope a scoped token. (HTTP 403)"
>>>>> All other tabs works properly.
>>>>> I think that is a keystone issue but i don't understand why with openstack client works perfectly and with horizon not.
>>>>> Anyone can explain what i missed in migration?
>>>>>
>>>>> Thanks a lot,
>>>>> Davide Panarese
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>>> Post to : openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>
>>>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>>>>
>>>> --
>>>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
>>>> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=D389145856.A899A>
>>>>
>>>>
>>
>>
>>
>>
>> --
>> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
>> Seguire il link qui sotto per segnalarlo come spam:http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74 <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=9946B46CDF.A2B74>
>>
>>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
> Post to : openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack <http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack>
>
> --
> Questo messaggio e' stato analizzato con Libra ESVA ed e' risultato non infetto.
> Clicca qui per segnalarlo come spam. <http://mx01.enter.it/cgi-bin/learn-msg.cgi?id=953D5406E1.AD5CD>
> Clicca qui per metterlo in blacklist <http://mx01.enter.it/cgi-bin/learn-msg.cgi?blacklist=1&id=953D5406E1.AD5CD> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack