← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1655560] [NEW] Horizon doesn't obtain domain scoped tokens for users coming through websso

 

Public bug reported:

We have a Mitaka deployment in which users can login using an external
SSO service and the Keystone external authentication protocol and are
mapped to a Keytone domain. Domain admin users from that domain can't
perform any admin operations in the frontend because Horizon doesn't
obtain a domain scoped token.

With external authentication, Keystone tokens always have the user
domain present, so this shouldn't be an issue in Horizon.

In my opinion, the bug is in the django_openstack_auth project. Here, on
the websso path, I think the user domain is expected to be provided by
the user in the login page, which, of course, isn't possible for websso.

As a solution, the unscoped Keystone token can be checked for the user
domain.

I have attached a patch for the 2.2.1 tag of django_openstack_auth.
Seeing code here hasn't been modified in a long time, the bug should
manifest itself in the newest version of Horizon.

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: dashboard-core

** Patch added: "Patch django_openstack_auth tag 2.2.1"
   https://bugs.launchpad.net/bugs/1655560/+attachment/4802757/+files/websso_domain.patch

** Description changed:

  We have a Mitaka deployment in which users can login using an external
  SSO service and the Keystone external authentication protocol and are
  mapped to a Keytone domain. Domain admin users from that domain can't
  perform any admin operations in the frontend because Horizon doesn't
  obtain a domain scoped token.
  
  With external authentication, Keystone tokens always have the user
  domain present, so this shouldn't be an issue in Horizon.
  
  In my opinion, the bug is in the django_openstack_auth project. Here, on
  the websso path, I think the user domain is expected to be provided by
  the user in the login page, which, of course, isn't possible for websso.
  
  As a solution, the unscoped Keystone token can be checked for the user
  domain.
  
  I have attached a patch for the 2.2.1 tag of django_openstack_auth.
  Seeing code here hasn't been modified in a long time, the bug should
- manifest in the newest version of Horizon.
+ manifest itself in the newest version of Horizon.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1655560

Title:
  Horizon doesn't obtain domain scoped tokens for users coming through
  websso

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  We have a Mitaka deployment in which users can login using an external
  SSO service and the Keystone external authentication protocol and are
  mapped to a Keytone domain. Domain admin users from that domain can't
  perform any admin operations in the frontend because Horizon doesn't
  obtain a domain scoped token.

  With external authentication, Keystone tokens always have the user
  domain present, so this shouldn't be an issue in Horizon.

  In my opinion, the bug is in the django_openstack_auth project. Here,
  on the websso path, I think the user domain is expected to be provided
  by the user in the login page, which, of course, isn't possible for
  websso.

  As a solution, the unscoped Keystone token can be checked for the user
  domain.

  I have attached a patch for the 2.2.1 tag of django_openstack_auth.
  Seeing code here hasn't been modified in a long time, the bug should
  manifest itself in the newest version of Horizon.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1655560/+subscriptions