endpoints fetching results differs with user's Admin role assigned on None and on a tenant

Asked by crayon_z

My environment: Keystone 2012.1 + Dashboard 2012.1

I create a tenant named DEMO and a user named demo assigned to DEMO. Then I login the Dashboard and try to list all the tenants with the demo user(This process needs to fetch the endpoints from Keystone).

When I assign Admin role to demo on None, I can fetch all the endpoints with Dashboard correctly, results as follows:

[{u'endpoints': [{u'adminURL': u'http://219.228.106.219:8080/v1.0/', u'region': u'RegionOne', u'internalURL': u'http://219.228.106.219:8080/v1/AUTH_2', u'publicURL': u'http://219.228.106.219:8080/v1/AUTH_2'}], u'type': u'object-store', u'name': u'swift'}, {u'endpoints': [{u'adminURL': u'http://219.228.106.219:35357/v2.0', u'region': u'RegionOne', u'internalURL': u'http://219.228.106.219:5000/v2.0', u'publicURL': u'http://219.228.106.219:5000/v2.0'}], u'type': u'identity', u'name': u'keystone'}]

While I reassign Admin role to demo on DEMO tenant, I can't get the adminURL, results as follows:

[{u'endpoints': [{u'region': u'RegionOne', u'internalURL': u'http://219.228.106.219:8080/v1/AUTH_2', u'publicURL': u'http://219.228.106.219:8080/v1/AUTH_2'}], u'type': u'object-store', u'name': u'swift'}, {u'endpoints': [{u'region': u'RegionOne', u'internalURL': u'http://219.228.106.219:5000/v2.0', u'publicURL': u'http://219.228.106.219:5000/v2.0'}], u'type': u'identity', u'name': u'keystone'}]

And the log in Dashboard is as follows:

CRITICAL:openstack_dashboard:Unhandled Exception in of type "<type 'exceptions.KeyError'>" in dashboard.
Traceback (most recent call last):
  File "/root/horizon/openstack-dashboard/.dashboard-venv/lib/python2.6/site-packages/django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "/root/horizon/horizon/horizon/decorators.py", line 41, in dec
    return view_func(request, *args, **kwargs)
  File "/root/horizon/horizon/horizon/decorators.py", line 73, in dec
    return view_func(request, *args, **kwargs)
  File "/root/horizon/horizon/horizon/decorators.py", line 41, in dec
    return view_func(request, *args, **kwargs)
  File "/root/horizon/openstack-dashboard/.dashboard-venv/lib/python2.6/site-packages/django/contrib/auth/decorators.py", line 23, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/root/horizon/horizon/horizon/dashboards/syspanel/tenants/views.py", line 48, in index
    tenants = api.tenant_list(request)
  File "/root/horizon/horizon/horizon/api/keystone.py", line 139, in tenant_list
    return [Tenant(t) for t in keystoneclient(request).tenants.list()]
  File "/root/horizon/horizon/horizon/api/keystone.py", line 113, in keystoneclient
    endpoint_type='adminURL')
  File "/root/horizon/openstack-dashboard/.dashboard-venv/src/python-keystoneclient/keystoneclient/service_catalog.py", line 51, in url_for
    return endpoint[endpoint_type]
KeyError: 'adminURL'

Apparently the adminURL is missing. What's the reason that we can't get the adminURL when assign the Admin role on a certain tenant?

Thanks

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Ziad Sawalha
Solved:
Last query:
Last reply:
Revision history for this message
Best Ziad Sawalha (ziad-sawalha) said :
#1

I tried to replicate this with the latest code (https://review.openstack.org/#change,2596) and did not have problem. See below, I get a scoped token on a tenant I am an admin on and I have the global admin role (all showing in the response) and I can see the adminURL. Do you still have the global admin role assigned t the user? That is needed to see the adminURL (Admin with tenant=None). If you are using an earlier branch of the code, let me know:

$ curl -H "Content-type: application/json" -d '{"auth":{"passwordCredentials":{"username": "admin", "password": "secrete"}, "tenantName": "customer-x"}}' http://localhost:5000/v2.0/tokens | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 890 100 785 100 105 1733 231 --:--:-- --:--:-- --:--:-- 1756
{
    "access": {
        "serviceCatalog": [
            {
                "endpoints": [
                    {
                        "adminURL": "http://global",
                        "internalURL": "http://global",
                        "publicURL": "http://global",
                        "region": "north"
                    }
                ],
                "name": "nova",
                "type": "compute"
            },
            {
                "endpoints": [
                    {
                        "adminURL": "http://127.0.0.1:35357/v2.0",
                        "internalURL": "http://127.0.0.1:5000/v2.0",
                        "publicURL": "http://keystone.publicinternets.com/v2.0",
                        "region": "RegionOne"
                    }
                ],
                "name": "identity",
                "type": "identity"
            }
        ],
        "token": {
            "expires": "2011-12-24T17:08:12.557313",
            "id": "7dfa0c0e-3db0-48a6-a083-db1c01b6f7ae",
            "tenant": {
                "id": "08adb9db51b54b999d88bdbd2a7650cf",
                "name": "customer-x"
            }
        },
        "user": {
            "id": "92c65cff03164346b872f674dfd3b7dc",
            "name": "admin",
            "roles": [
                {
                    "id": "1",
                    "name": "Admin",
                    "tenantId": "08adb9db51b54b999d88bdbd2a7650cf"
                },
                {
                    "id": "1",
                    "name": "Admin"
                }
            ]
        }
    }
}

Revision history for this message
crayon_z (crayon-z) said :
#2

Thanks Ziad, I read the code and I got it now.

If the Admin role of a user isn't global(namely assigned on a tenant), then Keystone will decide that this user doesn't have Admin role.

Revision history for this message
crayon_z (crayon-z) said :
#3

Thanks Ziad Sawalha, that solved my question.