Public bug reported: Hi,
I manually deployed a fresh Openstack cloud (2023.1 "Antelope") on a freshly installed Debian 12 "Bookworm", following instructions on https://docs.openstack.org/install-guide/openstack- services.html#minimal-deployment-for-2023-1-antelope. I use precompiled debian packages via extrepo with openstack_antelope enabled (https://wiki.debian.org/OpenStack). After installing all minimal services (Keystone, Glance, Placement, Nova, and Neutron) and made sure there are no complains in the logs, as well as passing verification steps for all services, I choke on setting up Horizon. I had to change "OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST" from the instructions on /etc/openstack- dashboard/local_settings.py into "OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST" to be able to login as admin user at all. However after login, Horizon drops the session as soon as I click on the Image tab. Logs in /var/log/openstack-dashboard/error.log give a very long list of Deprecation, such as: /usr/lib/python3/dist-packages/oslo_policy/policy.py:1587: DeprecationWarning: remove_prefixes depreca ted without deprecated_reason or deprecated_since. This will be an error in a future release, referer: http://openstack.housealpaca.com/auth/login/ and many, many more. A few more different warnings that seem to be related to the image, compute, metadata and identity services: /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_images": "role:adm in or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:os-keyp airs:index": "(rule:context_is_admin) or user_id:%(user_id)s" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the f uture where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:servers :detail": "rule:project_reader_or_admin" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_metadef_namespaces ": "role:admin or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_roles": "role:reader and system_scope:all" failed scope check. The token used to make the request was domain scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intend ed scope is required, referer: http://openstack.housealpaca.com/auth/login/ More errors with Unauthorized Django requests: [wsgi:error] [pid 11073:tid 139780079728320] [client 192.168.73.246:34256] WARNING django.request Unauthorized: /api/keystone/svc-catalog/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139780071335616] [client 192.168.73.246:34256] WARNING django.request Unauthorized: /api/keystone/user-session/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139780062942912] [client 192.168.73.246:34270] WARNING django.request Unauthorized: /api/policy/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139779576428224] [client 192.168.73.246:34282] WARNING django.request Unauthorized: /api/policy/, referer: http://openstack.housealpaca.com/project/images as well as image backend issues: [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "" unsupported by glance, referer: http://openstack.housealpaca.com/project/images [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "docker" unsupported by glance, referer: http://openstack.housealpaca.com/project/images [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "ova" unsupported by glance, referer: http://openstack.housealpaca.com/project/images Finishing with the last error: [wsgi:error] [pid 11074:tid 139779039557312] [client 192.168.73.246:34248] INFO openstack_auth.views Logging out user ""., referer: http://openstack.housealpaca.com/project/imag es And effectively redirecting the browser to the login page, often with a bunch of errors (including, but not limited to "Unauthorized, Redirecting to login", Unable to get the Glance service version" and "Unable to retrieve the images") and failed policy checks warnings (several notices of "Policy check failed") shown briefly just before redirection to Login page. In fact I had to take a screen cast and pause it to be able to read them. I tried to set "OPENSTACK_IMAGE_BACKEND" as suggested in https://bugs.launchpad.net/openstack-ansible/+bug/2055415 as a hail Marie attempt to solve the issues, but that does not prevent horizon to loggin me out, or suppress policy checks or Django errors in the logs. Not sure if it does remove the "OPENSTACK_IMAGE_BACKEND" errors. In case this is relevant, here is the version of Django installed in my Debian 12 setup: root@circinus:~# dpkg -l | grep django ii python3-django 3:3.2.19-1+deb12u1 all High-level Python web development framework ii python3-django-appconf 1.0.5-2 all helper class handling configuration defaults of apps - Python 3.x ii python3-django-compressor 4.0-1 all Compresses linked, inline JS or CSS into single cached files - Python 3.x ii python3-django-debreach 2.1.0-2 all some protection against the BREACH attack in Django - Python 3.x ii python3-django-horizon 3:23.1.0-5~bpo12+1 all Django module providing web interaction with OpenStack ii python3-django-pyscss 2.0.2-12 all makes it easier to use PySCSS in Django - Python 3.x root@circinus:~# I am at a loss to troubleshoot this issue. Maybe default policies need to be updated? How and to what? Do you have any other pointer? Any help is warmly appreciated. /Nicolas ** Affects: horizon Importance: Undecided Status: New ** Tags: django horizon policy -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/2055811 Title: django.request Unauthorized Status in OpenStack Dashboard (Horizon): New Bug description: Hi, I manually deployed a fresh Openstack cloud (2023.1 "Antelope") on a freshly installed Debian 12 "Bookworm", following instructions on https://docs.openstack.org/install-guide/openstack- services.html#minimal-deployment-for-2023-1-antelope. I use precompiled debian packages via extrepo with openstack_antelope enabled (https://wiki.debian.org/OpenStack). After installing all minimal services (Keystone, Glance, Placement, Nova, and Neutron) and made sure there are no complains in the logs, as well as passing verification steps for all services, I choke on setting up Horizon. I had to change "OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST" from the instructions on /etc/openstack- dashboard/local_settings.py into "OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST" to be able to login as admin user at all. However after login, Horizon drops the session as soon as I click on the Image tab. Logs in /var/log/openstack-dashboard/error.log give a very long list of Deprecation, such as: /usr/lib/python3/dist-packages/oslo_policy/policy.py:1587: DeprecationWarning: remove_prefixes depreca ted without deprecated_reason or deprecated_since. This will be an error in a future release, referer: http://openstack.housealpaca.com/auth/login/ and many, many more. A few more different warnings that seem to be related to the image, compute, metadata and identity services: /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_images": "role:adm in or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:os-keyp airs:index": "(rule:context_is_admin) or user_id:%(user_id)s" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the f uture where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "os_compute_api:servers :detail": "rule:project_reader_or_admin" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "get_metadef_namespaces ": "role:admin or (role:reader and project_id:%(project_id)s)" failed scope check. The token used to make the request was domain scoped but the policy requires ['project'] scope. This behavior may change in the future where using the intended scope is required, referer: http://openstack.housealpaca.com/auth/login/ /usr/lib/python3/dist-packages/oslo_policy/policy.py:1129: UserWarning: Policy "identity:list_roles": "role:reader and system_scope:all" failed scope check. The token used to make the request was domain scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intend ed scope is required, referer: http://openstack.housealpaca.com/auth/login/ More errors with Unauthorized Django requests: [wsgi:error] [pid 11073:tid 139780079728320] [client 192.168.73.246:34256] WARNING django.request Unauthorized: /api/keystone/svc-catalog/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139780071335616] [client 192.168.73.246:34256] WARNING django.request Unauthorized: /api/keystone/user-session/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139780062942912] [client 192.168.73.246:34270] WARNING django.request Unauthorized: /api/policy/, referer: http://openstack.housealpaca.com/project/images [wsgi:error] [pid 11073:tid 139779576428224] [client 192.168.73.246:34282] WARNING django.request Unauthorized: /api/policy/, referer: http://openstack.housealpaca.com/project/images as well as image backend issues: [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "" unsupported by glance, referer: http://openstack.housealpaca.com/project/images [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "docker" unsupported by glance, referer: http://openstack.housealpaca.com/project/images [client 192.168.73.246:34240] WARNING openstack_dashboard.api.glance OPENSTACK_IMAGE_BACKEND has a format "ova" unsupported by glance, referer: http://openstack.housealpaca.com/project/images Finishing with the last error: [wsgi:error] [pid 11074:tid 139779039557312] [client 192.168.73.246:34248] INFO openstack_auth.views Logging out user ""., referer: http://openstack.housealpaca.com/project/imag es And effectively redirecting the browser to the login page, often with a bunch of errors (including, but not limited to "Unauthorized, Redirecting to login", Unable to get the Glance service version" and "Unable to retrieve the images") and failed policy checks warnings (several notices of "Policy check failed") shown briefly just before redirection to Login page. In fact I had to take a screen cast and pause it to be able to read them. I tried to set "OPENSTACK_IMAGE_BACKEND" as suggested in https://bugs.launchpad.net/openstack-ansible/+bug/2055415 as a hail Marie attempt to solve the issues, but that does not prevent horizon to loggin me out, or suppress policy checks or Django errors in the logs. Not sure if it does remove the "OPENSTACK_IMAGE_BACKEND" errors. In case this is relevant, here is the version of Django installed in my Debian 12 setup: root@circinus:~# dpkg -l | grep django ii python3-django 3:3.2.19-1+deb12u1 all High-level Python web development framework ii python3-django-appconf 1.0.5-2 all helper class handling configuration defaults of apps - Python 3.x ii python3-django-compressor 4.0-1 all Compresses linked, inline JS or CSS into single cached files - Python 3.x ii python3-django-debreach 2.1.0-2 all some protection against the BREACH attack in Django - Python 3.x ii python3-django-horizon 3:23.1.0-5~bpo12+1 all Django module providing web interaction with OpenStack ii python3-django-pyscss 2.0.2-12 all makes it easier to use PySCSS in Django - Python 3.x root@circinus:~# I am at a loss to troubleshoot this issue. Maybe default policies need to be updated? How and to what? Do you have any other pointer? Any help is warmly appreciated. /Nicolas To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/2055811/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp