Ask Your Question
0

New role and Group link on Dashboard

asked 2014-02-14 02:45:33 -0600

Y Sertdemir gravatar image

Hello,

I am struggling on this problem for 2 weeks. I am using updated Openstack Havana on Ubuntu 12.04 LTS. Dashboard and controller services are installed different servers. Controller server has keystone, nova etc services. Dashboard is installed standalone. I created a role "manager" on keystone, I added this role on policy.json file and give permission to manage groups (after some tests, I gave almost all identity permissions). In dashboard server, I wanted to create a group link on Project Dashboard. In order to see this link, I copied /usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/groups folder to /usr/share/openstack-dashboard/openstack_dashboard/dashboards/project/groups. I changed all links which defined for admin dashboard to project dashboard in groups folder files. I defined a new panel on Project Dashboard.py file. Now I can see Groups link on Project dashboard just below.In addition, I defined permission = ("openstack.role.manager") in newly created groups panel because I want to enable this link just for manager role.

image description

My problem is that If user has an admin rights this groups link works ok. If I give a user to manager rights, Groups link can be seen in the first login, but when I click to the Groups link I have this error:

image description

I tried to change keystone_policy.json on dashboard (same with keystone's policy.json). I tried to debug all logs but I cannot see any error on permission side. There is no error on Keystone server debug. I checked apache logs for dashboard error, but nothing wrong. Somehow dashboard do not allow manager role user to get in newly created groups page.

I have this logs on my apache2/error.log:

    [Fri Feb 14 08:39:36 2014] [error] REQ: curl -i -X POST http://controller:5000/v3/auth/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
[Fri Feb 14 08:39:36 2014] [error] REQ BODY: {"auth": {"identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "manageruser", "password": "xxxxx"}}}}}
[Fri Feb 14 08:39:36 2014] [error]
[Fri Feb 14 08:39:36 2014] [error] INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller
[Fri Feb 14 08:39:36 2014] [error] DEBUG:urllib3.connectionpool:"POST /v3/auth/tokens HTTP/1.1" 201 6525
[Fri Feb 14 08:39:36 2014] [error] RESP: [201] CaseInsensitiveDict({'x-subject-token': xxxxxxxxx
[Fri Feb 14 08:39:36 2014] [error] RESP BODY: {"token": {"methods": ["password"], "roles": [{"id": "01c89d36a1a9494fa6ed727811495622", "name": "manager"}], "expires_at": "2014-02-15T08:39:23.790554Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "bbdb7287964f4a26bc749d9ddecb4f55", "name": "testproject"}, "catalog": [{"endpoints": [{"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "public", "id": "26b339849c2a4e79b605a2f2d42c2d33"}, {"url": "http://controller:35357/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "admin", "id": "7c530920742946a99cf2a71ad9503e7a"}, {"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "internal", "id": "c97bf6ff3d144bedb37825868e767596"}], "type": "identity", "id": "1778da57d7834612ae44f13d9c91ae55"}, {"endpoints": [{"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "admin", "id": "545990b1dc624d0e9e90ee95eb102518"}, {"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "public", "id": "b64a6400851b4ec1bd9c598336fad2a2 ...
(more)
edit retag flag offensive close merge delete

Comments

I am not seeing this link "Groups" at all except in the Admin tab under "identity".

Mathias Ewald gravatar imageMathias Ewald ( 2014-02-14 05:31:38 -0600 )edit

Yes, I added there copying from admin dashboard.

Y Sertdemir gravatar imageY Sertdemir ( 2014-02-14 05:39:34 -0600 )edit

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-02-19 11:59:36 -0600

jpichon gravatar image

I'm not 100% sure but I suspect it's because the groups API calls are all explicitly using the Keystone admin interface.

See for instance displaying the list of users:

The logs you provided only cover the "login" action so we can't really use them to confirm what's happening (if you set the keystoneclient logging level to 'debug' in the local_settings.py we should be able to see the calls that are made to Keystone).

I don't think it will help here because the issue is at the API call level, however for future reference you may want to look into the customisation module ( http://docs.openstack.org/developer/h... ) to make such changes to the existing dashboards. This way your work won't be overwritten when you upgrade Horizon.

edit flag offensive delete link more

Comments

Yes I already found that it is controlled by dashboard API files, named keystone.py. I did not have time to right here. Anyway, thank you for a right answer. After replacing (admin=true) to (admin=false) it worked great. I will keep in mind about the upgrade process.

Y Sertdemir gravatar imageY Sertdemir ( 2014-02-27 03:30:28 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-02-14 02:45:33 -0600

Seen: 471 times

Last updated: Feb 19 '14