Ask Your Question

Dashboard with Keystone over SSL

Hello everyone,

I am using Grizzly on CentOS 6.4. I am mainly interested in Swift, Keystone, and the Dashboard service. The other services are irrelevant to me. I understand that Dashboard requires Compute and Glance to avoid completely hacking the customization code. I have Glance and Compute running in a virtual environment, but they are essentially just dummy services. They are properly registered in Keystone though. Keystone and Swift work well on their own.

I am having an issue with Dashboard even logging in when Keystone is configured to use SSL. I have edited the /etc/openstack-dashboard/local_settings file:

OPENSTACK_HOST = "keystone1.domain.local"
OPENSTACK_KEYSTONE_URL = "https://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"


I am able to bring up the login page for Dashboard. It appears to authenticate, but never loads and is perpetually stuck at the Login screen. The following can be found in the httpd error_log file. Notice that Dashboard initially makes three HTTPS calls to the correct Keystone server. It also appears to authenticate just fine, since if I don't use the correct password, it tells me that authentication has failed immediately (This is evident in the log below). At the end, Dashboard seems to default to HTTP to connect to the Keystone server, my guess is to pull the service catalog. I am not seeing anywhere to change this behavior. Can anyone help please?

[Thu Sep 05 16:17:03 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Thu Sep 05 16:17:03 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:04 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 401 None
[Thu Sep 05 16:17:04 2013] [error] Request returned failure status: 401
[Thu Sep 05 16:17:04 2013] [error] Authorization Failed.
[Thu Sep 05 16:17:04 2013] [error] DEBUG:openstack_auth.backend:Unable to communicate with identity service: {"error": {"message": "The request you
have made requires authentication.", "code": 401, "title": "Not Authorized"}}.
[Thu Sep 05 16:17:09 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Thu Sep 05 16:17:09 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"GET /v2.0/tenants HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTP connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error ...
edit retag close merge delete

2 answers

Sort by » oldest newest most voted

there is a parameter in local-settings.py says to ignore the ssl verification make it ignore and did you edit the endpoints of keystone to use https?

more

When I have asked about Object Storage + Identity + Dashboard I've found that the Dashboard code does not support Object Storage only. So I think what you want is not attainable on Grizzly, nor do I think it has been worked on for Havana, but I'd like a Horizon developer to confirm this. Possibly your workaround to add Compute and Image as dummy services is the right way.

However, don't you also need to get apache to redirect to https? See http://docs.openstack.org/grizzly/openstack-compute/install/apt/content/configure-dashboard.html .

more

Comments

I know that Dashboard is very customizable. You basically have to drop panels that call to compute / glance from the default layout. I understand that there are a ton of these panels though. It wasn't worth the effort or breaking a supported configuration to me, so I went with the dummy services. I don't know that I need HTTPS for Apache, but it's worth a shot and easy enough to test. My problem is that Dashboard seems to fall back to HTTP communication with Keystone, even though it's configured for HTTPS in the configuration file. It seems that there is something hard-coded somewhere. I am just not sure where without configuring a debugging / development environment. I was trying to avoid that.

( 2013-09-06 10:27:22 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Stats

Asked: 2013-09-05 11:34:39 -0500

Seen: 432 times

Last updated: Oct 30 '13