Ask Your Question

New role and Group link on Dashboard

asked 2014-02-14 02:45:33 -0500

Y Sertdemir gravatar image


I am struggling on this problem for 2 weeks. I am using updated Openstack Havana on Ubuntu 12.04 LTS. Dashboard and controller services are installed different servers. Controller server has keystone, nova etc services. Dashboard is installed standalone. I created a role "manager" on keystone, I added this role on policy.json file and give permission to manage groups (after some tests, I gave almost all identity permissions). In dashboard server, I wanted to create a group link on Project Dashboard. In order to see this link, I copied /usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/groups folder to /usr/share/openstack-dashboard/openstack_dashboard/dashboards/project/groups. I changed all links which defined for admin dashboard to project dashboard in groups folder files. I defined a new panel on Project file. Now I can see Groups link on Project dashboard just below.In addition, I defined permission = ("openstack.role.manager") in newly created groups panel because I want to enable this link just for manager role.

image description

My problem is that If user has an admin rights this groups link works ok. If I give a user to manager rights, Groups link can be seen in the first login, but when I click to the Groups link I have this error:

image description

I tried to change keystone_policy.json on dashboard (same with keystone's policy.json). I tried to debug all logs but I cannot see any error on permission side. There is no error on Keystone server debug. I checked apache logs for dashboard error, but nothing wrong. Somehow dashboard do not allow manager role user to get in newly created groups page.

I have this logs on my apache2/error.log:

    [Fri Feb 14 08:39:36 2014] [error] REQ: curl -i -X POST http://controller:5000/v3/auth/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
[Fri Feb 14 08:39:36 2014] [error] REQ BODY: {"auth": {"identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "manageruser", "password": "xxxxx"}}}}}
[Fri Feb 14 08:39:36 2014] [error]
[Fri Feb 14 08:39:36 2014] [error] INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller
[Fri Feb 14 08:39:36 2014] [error] DEBUG:urllib3.connectionpool:"POST /v3/auth/tokens HTTP/1.1" 201 6525
[Fri Feb 14 08:39:36 2014] [error] RESP: [201] CaseInsensitiveDict({'x-subject-token': xxxxxxxxx
[Fri Feb 14 08:39:36 2014] [error] RESP BODY: {"token": {"methods": ["password"], "roles": [{"id": "01c89d36a1a9494fa6ed727811495622", "name": "manager"}], "expires_at": "2014-02-15T08:39:23.790554Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "bbdb7287964f4a26bc749d9ddecb4f55", "name": "testproject"}, "catalog": [{"endpoints": [{"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "public", "id": "26b339849c2a4e79b605a2f2d42c2d33"}, {"url": "http://controller:35357/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "admin", "id": "7c530920742946a99cf2a71ad9503e7a"}, {"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "internal", "id": "c97bf6ff3d144bedb37825868e767596"}], "type": "identity", "id": "1778da57d7834612ae44f13d9c91ae55"}, {"endpoints": [{"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "admin", "id": "545990b1dc624d0e9e90ee95eb102518"}, {"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "public", "id": "b64a6400851b4ec1bd9c598336fad2a2 ...
edit retag flag offensive close merge delete


I am not seeing this link "Groups" at all except in the Admin tab under "identity".

Mathias Ewald gravatar imageMathias Ewald ( 2014-02-14 05:31:38 -0500 )edit

Yes, I added there copying from admin dashboard.

Y Sertdemir gravatar imageY Sertdemir ( 2014-02-14 05:39:34 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-02-19 11:59:36 -0500

jpichon gravatar image

I'm not 100% sure but I suspect it's because the groups API calls are all explicitly using the Keystone admin interface.

See for instance displaying the list of users:

The logs you provided only cover the "login" action so we can't really use them to confirm what's happening (if you set the keystoneclient logging level to 'debug' in the we should be able to see the calls that are made to Keystone).

I don't think it will help here because the issue is at the API call level, however for future reference you may want to look into the customisation module ( ) to make such changes to the existing dashboards. This way your work won't be overwritten when you upgrade Horizon.

edit flag offensive delete link more


Yes I already found that it is controlled by dashboard API files, named I did not have time to right here. Anyway, thank you for a right answer. After replacing (admin=true) to (admin=false) it worked great. I will keep in mind about the upgrade process.

Y Sertdemir gravatar imageY Sertdemir ( 2014-02-27 03:30:28 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-02-14 02:45:33 -0500

Seen: 539 times

Last updated: Feb 19 '14