· 9 years ago · Jan 05, 2017, 01:58 PM
1I upgraded from Liberty to Mitaka, but now I cannot login into Dashboard anymore.
2
3I tried to use configs from a Mitaka devstack but without success.
4
5Keystone works fine as it can be seen below:
6
7root@liberty-ctrl:/etc/openstack-dashboard# env | grep OS
8OS_PROJECT_DOMAIN_ID=default
9OS_IMAGE_API_VERSION=2
10OS_USER_DOMAIN_ID=default
11OS_PROJECT_NAME=admin
12OS_IDENTITY_API_VERSION=3
13OS_PASSWORD=test123
14OS_AUTH_URL=http://controller:35357/v3
15OS_USERNAME=admin
16OS_TENANT_NAME=admin
17LESSCLOSE=/usr/bin/lesspipe %s %s
18root@liberty-ctrl:/etc/openstack-dashboard#
19root@liberty-ctrl:/etc/openstack-dashboard#
20root@liberty-ctrl:/etc/openstack-dashboard# openstack endpoint list
21+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
22| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
23+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
24| 1070cf42dfde4470a82485ad9c383e93 | RegionOne | glance | image | True | public | http://controller:9292 |
25| 1893e2bec52f43bb8686aed342d5fa19 | RegionOne | cinder | volume | True | internal | http://controller:8776/v1/%(tenant_id)s |
26| 2f06e277e2b1427abb83f2e17ce33c9e | RegionOne | neutron | network | True | internal | http://controller:9696 |
27| 305bf0de93fb40b5abf24b70f9b9e072 | RegionOne | swift | object-store | True | internal | http://172.25.4.15:9080/swift/v1 |
28| 3c5c392426b947b3b178df2535da117e | RegionOne | glance | image | True | admin | http://controller:9292 |
29| 5053c877a800438aa8b3df0f6439668d | RegionOne | swift | object-store | True | admin | http://172.25.4.15:9080/swift/v1 |
30| 547f47f2efc849778c095024092fac66 | RegionOne | neutron | network | True | admin | http://controller:9696 |
31| 61e438820b8f4a1fb640acf0a40399df | RegionOne | cinder | volume | True | admin | http://controller:8776/v1/%(tenant_id)s |
32| 67e454c1c0434748b1fbc405f945e203 | RegionOne | glance | image | True | internal | http://controller:9292 |
33| 83c67460cc7b40479a2a1c9d22601e69 | RegionOne | keystone | identity | True | public | http://controller:5000/v3 |
34| 96151225767347beafeae1abd1664dc7 | RegionOne | keystone | identity | True | internal | http://controller:5000/v2.0 |
35| 9c9d20a2f9c542a8b7596b6866e002f4 | RegionOne | cinderv2 | volumev2 | True | public | http://controller:8776/v2/%(tenant_id)s |
36| a400573d1bc345f8a651e767f492cfd2 | RegionOne | keystone | identity | True | public | http://controller:5000/v2.0 |
37| acff875e771941f5827faebf27ac7c26 | RegionOne | cinder | volume | True | public | http://controller:8776/v1/%(tenant_id)s |
38| b106e139e3264353a6740ed38f72101e | RegionOne | neutron | network | True | public | http://controller:9696 |
39| b14889aa23c9439b8a44a49da27bcedc | RegionOne | cinderv2 | volumev2 | True | internal | http://controller:8776/v2/%(tenant_id)s |
40| bc2d981b4c9b4d4183503c347086a768 | RegionOne | nova | compute | True | internal | http://controller:8774/v2/%(tenant_id)s |
41| c90ea7ebce6441c49c3a139d188e85e9 | RegionOne | keystone | identity | True | internal | http://controller:5000/v3 |
42| da0666e181004e2e9159c2a387c7359c | RegionOne | cinderv2 | volumev2 | True | admin | http://controller:8776/v2/%(tenant_id)s |
43| de798459d0dc4a9296593238c9bd1ea8 | RegionOne | swift | object-store | True | public | http://172.25.4.15:9080/swift/v1 |
44| e1ea0000bf2b4550b6134b769d384026 | RegionOne | keystone | identity | True | admin | http://controller:35357/v2.0 |
45| f77498c856b744aa9875199e845241e0 | RegionOne | nova | compute | True | admin | http://controller:8774/v2/%(tenant_id)s |
46| fce091c909d9442295b7913ee2152dd2 | RegionOne | keystone | identity | True | admin | http://controller:35357/v3 |
47| fe859117269a46d8963ea1f705846ee0 | RegionOne | nova | compute | True | public | http://controller:8774/v2/%(tenant_id)s |
48+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------------------+
49
50
51Below you can see the Dashboard config:
52root@liberty-ctrl:/etc/openstack-dashboard# egrep -v "^$|^#" /etc/openstack-dashboard/local_settings.py
53import os
54from django.utils.translation import ugettext_lazy as _
55from horizon.utils import secret_key
56from openstack_dashboard import exceptions
57from openstack_dashboard.settings import HORIZON_CONFIG
58DEBUG = False
59TEMPLATE_DEBUG = DEBUG
60WEBROOT = "/"
61LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
62SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
63CACHES = {
64 'default': {
65 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
66 #'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
67 'LOCATION': '127.0.0.1:11211',
68 },
69}
70EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
71OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
72OPENSTACK_API_VERSIONS={"identity":3}
73OPENSTACK_HOST="controller"
74OPENSTACK_KEYSTONE_URL = "http://%s:35357/v3" % OPENSTACK_HOST
75OPENSTACK_KEYSTONE_BACKEND = {
76 'name': 'native',
77 'can_edit_user': True,
78 'can_edit_group': True,
79 'can_edit_project': True,
80 'can_edit_domain': True,
81 'can_edit_role': True,
82}
83OPENSTACK_HYPERVISOR_FEATURES = {
84 'can_set_mount_point': False,
85 'can_set_password': False,
86 'requires_keypair': False,
87}
88OPENSTACK_CINDER_FEATURES = {
89 'enable_backup': False,
90}
91OPENSTACK_NEUTRON_NETWORK = {
92 'enable_router': True,
93 'enable_quotas': True,
94 'enable_ipv6': True,
95 'enable_distributed_router': False,
96 'enable_ha_router': False,
97 'enable_lb': True,
98 'enable_firewall': True,
99 'enable_vpn': True,
100 'enable_fip_topology_check': True,
101 # Neutron can be configured with a default Subnet Pool to be used for IPv4
102 # subnet-allocation. Specify the label you wish to display in the Address
103 # pool selector on the create subnet step if you want to use this feature.
104 'default_ipv4_subnet_pool_label': None,
105 # Neutron can be configured with a default Subnet Pool to be used for IPv6
106 # subnet-allocation. Specify the label you wish to display in the Address
107 # pool selector on the create subnet step if you want to use this feature.
108 # You must set this to enable IPv6 Prefix Delegation in a PD-capable
109 # environment.
110 'default_ipv6_subnet_pool_label': None,
111 # The profile_support option is used to detect if an external router can be
112 # configured via the dashboard. When using specific plugins the
113 # profile_support can be turned on if needed.
114 'profile_support': None,
115 #'profile_support': 'cisco',
116 # Set which provider network types are supported. Only the network types
117 # in this list will be available to choose from when creating a network.
118 # Network types include local, flat, vlan, gre, and vxlan.
119 'supported_provider_types': ['*'],
120 # Set which VNIC types are supported for port binding. Only the VNIC
121 # types in this list will be available to choose from when creating a
122 # port.
123 # VNIC types include 'normal', 'macvtap' and 'direct'.
124 # Set to empty list or None to disable VNIC type selection.
125 'supported_vnic_types': ['*'],
126}
127OPENSTACK_HEAT_STACK = {
128 'enable_user_pass': True,
129}
130IMAGE_CUSTOM_PROPERTY_TITLES = {
131 "architecture": _("Architecture"),
132 "kernel_id": _("Kernel ID"),
133 "ramdisk_id": _("Ramdisk ID"),
134 "image_state": _("Euca2ools state"),
135 "project_id": _("Project ID"),
136 "image_type": _("Image Type"),
137}
138IMAGE_RESERVED_CUSTOM_PROPERTIES = []
139API_RESULT_LIMIT = 1000
140API_RESULT_PAGE_SIZE = 20
141SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024
142DROPDOWN_MAX_ITEMS = 30
143TIME_ZONE = "UTC"
144LOGGING = {
145 'version': 1,
146 # When set to True this will disable all logging except
147 # for loggers specified in this configuration dictionary. Note that
148 # if nothing is specified here and disable_existing_loggers is True,
149 # django.db.backends will still log unless it is disabled explicitly.
150 'disable_existing_loggers': False,
151 'handlers': {
152 'null': {
153 'level': 'DEBUG',
154 'class': 'logging.NullHandler',
155 },
156 'console': {
157 # Set the level to "DEBUG" for verbose output logging.
158 'level': 'INFO',
159 'class': 'logging.StreamHandler',
160 },
161 },
162 'loggers': {
163 # Logging from django.db.backends is VERY verbose, send to null
164 # by default.
165 'django.db.backends': {
166 'handlers': ['null'],
167 'propagate': False,
168 },
169 'requests': {
170 'handlers': ['null'],
171 'propagate': False,
172 },
173 'horizon': {
174 'handlers': ['console'],
175 'level': 'DEBUG',
176 'propagate': False,
177 },
178 'openstack_dashboard': {
179 'handlers': ['console'],
180 'level': 'DEBUG',
181 'propagate': False,
182 },
183 'novaclient': {
184 'handlers': ['console'],
185 'level': 'DEBUG',
186 'propagate': False,
187 },
188 'cinderclient': {
189 'handlers': ['console'],
190 'level': 'DEBUG',
191 'propagate': False,
192 },
193 'keystoneclient': {
194 'handlers': ['console'],
195 'level': 'DEBUG',
196 'propagate': False,
197 },
198 'glanceclient': {
199 'handlers': ['console'],
200 'level': 'DEBUG',
201 'propagate': False,
202 },
203 'neutronclient': {
204 'handlers': ['console'],
205 'level': 'DEBUG',
206 'propagate': False,
207 },
208 'heatclient': {
209 'handlers': ['console'],
210 'level': 'DEBUG',
211 'propagate': False,
212 },
213 'ceilometerclient': {
214 'handlers': ['console'],
215 'level': 'DEBUG',
216 'propagate': False,
217 },
218 'swiftclient': {
219 'handlers': ['console'],
220 'level': 'DEBUG',
221 'propagate': False,
222 },
223 'openstack_auth': {
224 'handlers': ['console'],
225 'level': 'DEBUG',
226 'propagate': False,
227 },
228 'nose.plugins.manager': {
229 'handlers': ['console'],
230 'level': 'DEBUG',
231 'propagate': False,
232 },
233 'django': {
234 'handlers': ['console'],
235 'level': 'DEBUG',
236 'propagate': False,
237 },
238 'iso8601': {
239 'handlers': ['null'],
240 'propagate': False,
241 },
242 'scss': {
243 'handlers': ['null'],
244 'propagate': False,
245 },
246 },
247}
248SECURITY_GROUP_RULES = {
249 'all_tcp': {
250 'name': _('All TCP'),
251 'ip_protocol': 'tcp',
252 'from_port': '1',
253 'to_port': '65535',
254 },
255 'all_udp': {
256 'name': _('All UDP'),
257 'ip_protocol': 'udp',
258 'from_port': '1',
259 'to_port': '65535',
260 },
261 'all_icmp': {
262 'name': _('All ICMP'),
263 'ip_protocol': 'icmp',
264 'from_port': '-1',
265 'to_port': '-1',
266 },
267 'ssh': {
268 'name': 'SSH',
269 'ip_protocol': 'tcp',
270 'from_port': '22',
271 'to_port': '22',
272 },
273 'smtp': {
274 'name': 'SMTP',
275 'ip_protocol': 'tcp',
276 'from_port': '25',
277 'to_port': '25',
278 },
279 'dns': {
280 'name': 'DNS',
281 'ip_protocol': 'tcp',
282 'from_port': '53',
283 'to_port': '53',
284 },
285 'http': {
286 'name': 'HTTP',
287 'ip_protocol': 'tcp',
288 'from_port': '80',
289 'to_port': '80',
290 },
291 'pop3': {
292 'name': 'POP3',
293 'ip_protocol': 'tcp',
294 'from_port': '110',
295 'to_port': '110',
296 },
297 'imap': {
298 'name': 'IMAP',
299 'ip_protocol': 'tcp',
300 'from_port': '143',
301 'to_port': '143',
302 },
303 'ldap': {
304 'name': 'LDAP',
305 'ip_protocol': 'tcp',
306 'from_port': '389',
307 'to_port': '389',
308 },
309 'https': {
310 'name': 'HTTPS',
311 'ip_protocol': 'tcp',
312 'from_port': '443',
313 'to_port': '443',
314 },
315 'smtps': {
316 'name': 'SMTPS',
317 'ip_protocol': 'tcp',
318 'from_port': '465',
319 'to_port': '465',
320 },
321 'imaps': {
322 'name': 'IMAPS',
323 'ip_protocol': 'tcp',
324 'from_port': '993',
325 'to_port': '993',
326 },
327 'pop3s': {
328 'name': 'POP3S',
329 'ip_protocol': 'tcp',
330 'from_port': '995',
331 'to_port': '995',
332 },
333 'ms_sql': {
334 'name': 'MS SQL',
335 'ip_protocol': 'tcp',
336 'from_port': '1433',
337 'to_port': '1433',
338 },
339 'mysql': {
340 'name': 'MYSQL',
341 'ip_protocol': 'tcp',
342 'from_port': '3306',
343 'to_port': '3306',
344 },
345 'rdp': {
346 'name': 'RDP',
347 'ip_protocol': 'tcp',
348 'from_port': '3389',
349 'to_port': '3389',
350 },
351}
352REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES',
353 'LAUNCH_INSTANCE_DEFAULTS']
354try:
355 from ubuntu_theme import *
356except ImportError:
357 pass
358WEBROOT='/horizon/'
359ALLOWED_HOSTS = ['*', ]
360COMPRESS_OFFLINE = True
361
362
363
364And the Keystone config (not using fernet tokens):
365root@liberty-ctrl:/etc/openstack-dashboard# egrep -v "^$|^#" /etc/keystone/keystone.conf
366[DEFAULT]
367admin_token = ADMIN
368debug = true
369verbose = true
370log_dir = /var/log/keystone
371[assignment]
372[auth]
373[cache]
374[catalog]
375[cors]
376[cors.subdomain]
377[credential]
378[database]
379connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
380[domain_config]
381[endpoint_filter]
382[endpoint_policy]
383[eventlet_server]
384[eventlet_server_ssl]
385[federation]
386[fernet_tokens]
387[identity]
388[identity_mapping]
389[kvs]
390[ldap]
391[matchmaker_redis]
392[matchmaker_ring]
393[memcache]
394servers = localhost:11211
395[oauth1]
396[os_inherit]
397[oslo_messaging_amqp]
398[oslo_messaging_qpid]
399[oslo_messaging_rabbit]
400[oslo_middleware]
401[oslo_policy]
402[paste_deploy]
403[policy]
404[resource]
405[revoke]
406driver = sql
407[role]
408[saml]
409[signing]
410[ssl]
411[token]
412provider = uuid
413driver = memcache
414[tokenless_auth]
415[trust]
416[extra_headers]
417Distribution = Ubuntu
418
419
420If I try to login with wrong credentials, Dashboard throws the "Invalid credentials" message.
421
422If I try to login with correct credentials, Dashboard throws the "Unable to retrieve authorized projects." message and logs the following in "/var/log/apache2/keystone.log".
423
4242017-01-05 08:54:42.926805 2017-01-05 08:54:42.926 736 DEBUG keystone.middleware.auth [req-60c81ee5-e80c-47eb-a3f7-642162075ee4 - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:71
4252017-01-05 08:54:42.927918 2017-01-05 08:54:42.927 736 INFO keystone.common.wsgi [req-60c81ee5-e80c-47eb-a3f7-642162075ee4 - - - - -] POST http://controller:35357/v3/auth/tokens
4262017-01-05 08:54:42.985101 2017-01-05 08:54:42.984 736 DEBUG keystone.common.kvs.core [req-60c81ee5-e80c-47eb-a3f7-642162075ee4 - - - - -] KVS lock acquired for: usertokens-732f237a2d314aa1a30c314c6519240e acquire /usr/lib/python2.7/dist-packages/keystone/common/kvs/core.py:407
4272017-01-05 08:54:42.987381 2017-01-05 08:54:42.987 736 DEBUG keystone.common.kvs.core [req-60c81ee5-e80c-47eb-a3f7-642162075ee4 - - - - -] KVS lock released for: usertokens-732f237a2d314aa1a30c314c6519240e release /usr/lib/python2.7/dist-packages/keystone/common/kvs/core.py:426
4282017-01-05 08:54:42.999111 2017-01-05 08:54:42.998 732 DEBUG keystone.common.authorization [req-f49d0142-8910-40fe-a1f2-ea2caf6a34f7 - - - - -] RBAC: Proceeding without project or domain scope token_to_auth_context /usr/lib/python2.7/dist-packages/keystone/common/authorization.py:80
4292017-01-05 08:54:42.999745 2017-01-05 08:54:42.999 732 DEBUG keystone.middleware.auth [req-f49d0142-8910-40fe-a1f2-ea2caf6a34f7 732f237a2d314aa1a30c314c6519240e - - default -] RBAC: auth_context: {'is_delegated_auth': False, 'user_id': u'732f237a2d314aa1a30c314c6519240e', 'user_domain_id': u'default', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=A8AHv9GUS96hI7TMjMvv1Q, audit_chain_id=A8AHv9GUS96hI7TMjMvv1Q) at 0x7f6c0a8cc3c8>, 'access_token_id': None, 'trust_id': None} process_request /usr/lib/python2.7/dist-packages/keystone/middleware/auth.py:221
4302017-01-05 08:54:43.001182 2017-01-05 08:54:43.000 732 INFO keystone.common.wsgi [req-f49d0142-8910-40fe-a1f2-ea2caf6a34f7 732f237a2d314aa1a30c314c6519240e - - default -] POST http://controller:35357/v3/auth/tokens
4312017-01-05 08:54:43.117938 2017-01-05 08:54:43.117 732 DEBUG keystone.common.kvs.core [req-f49d0142-8910-40fe-a1f2-ea2caf6a34f7 732f237a2d314aa1a30c314c6519240e - - default -] KVS lock acquired for: usertokens-732f237a2d314aa1a30c314c6519240e acquire /usr/lib/python2.7/dist-packages/keystone/common/kvs/core.py:407
4322017-01-05 08:54:43.120800 2017-01-05 08:54:43.120 732 DEBUG keystone.common.kvs.core [req-f49d0142-8910-40fe-a1f2-ea2caf6a34f7 732f237a2d314aa1a30c314c6519240e - - default -] KVS lock released for: usertokens-732f237a2d314aa1a30c314c6519240e release /usr/lib/python2.7/dist-packages/keystone/common/kvs/core.py:426