Ask Your Question
1

Dashboard with Keystone over SSL

asked 2013-09-05 11:34:39 -0500

ketchup gravatar image

Hello everyone,

I am using Grizzly on CentOS 6.4. I am mainly interested in Swift, Keystone, and the Dashboard service. The other services are irrelevant to me. I understand that Dashboard requires Compute and Glance to avoid completely hacking the customization code. I have Glance and Compute running in a virtual environment, but they are essentially just dummy services. They are properly registered in Keystone though. Keystone and Swift work well on their own.

I am having an issue with Dashboard even logging in when Keystone is configured to use SSL. I have edited the /etc/openstack-dashboard/local_settings file:

OPENSTACK_HOST = "keystone1.domain.local"
OPENSTACK_KEYSTONE_URL = "https://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"

I am able to bring up the login page for Dashboard. It appears to authenticate, but never loads and is perpetually stuck at the Login screen. The following can be found in the httpd error_log file. Notice that Dashboard initially makes three HTTPS calls to the correct Keystone server. It also appears to authenticate just fine, since if I don't use the correct password, it tells me that authentication has failed immediately (This is evident in the log below). At the end, Dashboard seems to default to HTTP to connect to the Keystone server, my guess is to pull the service catalog. I am not seeing anywhere to change this behavior. Can anyone help please?


[Thu Sep 05 16:17:03 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Thu Sep 05 16:17:03 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:04 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 401 None
[Thu Sep 05 16:17:04 2013] [error] Request returned failure status: 401
[Thu Sep 05 16:17:04 2013] [error] Authorization Failed.
[Thu Sep 05 16:17:04 2013] [error] DEBUG:openstack_auth.backend:Unable to communicate with identity service: {"error": {"message": "The request you
 have made requires authentication.", "code": 401, "title": "Not Authorized"}}.
[Thu Sep 05 16:17:09 2013] [error] DEBUG:openstack_auth.backend:Beginning user authentication for user "admin".
[Thu Sep 05 16:17:09 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"GET /v2.0/tenants HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error] DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 None
[Thu Sep 05 16:17:10 2013] [error] INFO:urllib3.connectionpool:Starting new HTTP connection (1): keystone1.domain.local
[Thu Sep 05 16:17:10 2013] [error ...
(more)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2013-10-30 09:09:26 -0500

bishoy gravatar image

there is a parameter in local-settings.py says to ignore the ssl verification make it ignore and did you edit the endpoints of keystone to use https?

edit flag offensive delete link more
0

answered 2013-09-05 21:40:46 -0500

annegentle gravatar image

updated 2013-09-05 21:44:02 -0500

When I have asked about Object Storage + Identity + Dashboard I've found that the Dashboard code does not support Object Storage only. So I think what you want is not attainable on Grizzly, nor do I think it has been worked on for Havana, but I'd like a Horizon developer to confirm this. Possibly your workaround to add Compute and Image as dummy services is the right way.

However, don't you also need to get apache to redirect to https? See http://docs.openstack.org/grizzly/openstack-compute/install/apt/content/configure-dashboard.html .

edit flag offensive delete link more

Comments

I know that Dashboard is very customizable. You basically have to drop panels that call to compute / glance from the default layout. I understand that there are a ton of these panels though. It wasn't worth the effort or breaking a supported configuration to me, so I went with the dummy services. I don't know that I need HTTPS for Apache, but it's worth a shot and easy enough to test. My problem is that Dashboard seems to fall back to HTTP communication with Keystone, even though it's configured for HTTPS in the configuration file. It seems that there is something hard-coded somewhere. I am just not sure where without configuring a debugging / development environment. I was trying to avoid that.

ketchup gravatar imageketchup ( 2013-09-06 10:27:22 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-09-05 11:34:39 -0500

Seen: 394 times

Last updated: Oct 30 '13