yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1814043] [NEW] [RFE] Add 'OPENSTACK_ENDPOINT_REGION' env in openstack_auth

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Yang Youseok <1814043@xxxxxxxxxxxxxxxxxx>
Date: Thu, 31 Jan 2019 07:34:37 -0000
Reply-to: Bug 1814043 <1814043@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Patch of 'https://review.openstack.org/#/c/263911/' add specifying
region at the horizon login step.

It assume region for other resources is same as login region. But
keystone identity endpoint can be used globally.

For example,

```
(openstack) root@r2control0:/vagrant/utils# openstack endpoint list --service keystone
+----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
| ID                               | Region       | Service Name | Service Type | Enabled | Interface | URL                                |
+----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
| 10c1b95b2bd64ffba7dcafc8d2ac9858 | devel-r2     | keystone     | identity     | True    | internal  | https://devel-api.9rum.cc:5000/v3  |
| 5dbc177b7c4644dea1f0f08255e383e3 | kfield-devel | keystone     | identity     | True    | internal  | https://devel-api.9rum.cc:5000/v3  |
| 7e65f96540634503a9b3fcebbdbf42d8 | devel-r2     | keystone     | identity     | True    | admin     | https://devel-api.9rum.cc:35357/v3 |
| ba9f88fde4b143a791791454b72c229d | devel-r2     | keystone     | identity     | True    | public    | https://devel-api.9rum.cc:5000/v3  |
| c9cf3f1f28144b73bf3e161644b269ae | kfield-devel | keystone     | identity     | True    | admin     | https://devel-api.9rum.cc:35357/v3 |
| dc55bd5100374540b39cb4ccbef7f2ab | kfield-devel | keystone     | identity     | True    | public    | https://devel-api.9rum.cc:5000/v3  |
+----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
```
 
in this case, if 'kfield-devel' region is returned for service_regions, other resources(projects..) are no longer accessible since user does not have 'devel-r2' region at all. At the login time, user only have 'kfield-devel' so unauthorized permission error blocks further progress.

So, I think providing 'OPENSTACK_ENDPOINT_REGION' for specify login
region, operator can specify a region for identity service which is also
available to access other resources.

Thanks

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1814043

Title:
  [RFE] Add 'OPENSTACK_ENDPOINT_REGION' env in openstack_auth

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Patch of 'https://review.openstack.org/#/c/263911/' add specifying
  region at the horizon login step.

  It assume region for other resources is same as login region. But
  keystone identity endpoint can be used globally.

  For example,

  ```
  (openstack) root@r2control0:/vagrant/utils# openstack endpoint list --service keystone
  +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
  | ID                               | Region       | Service Name | Service Type | Enabled | Interface | URL                                |
  +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
  | 10c1b95b2bd64ffba7dcafc8d2ac9858 | devel-r2     | keystone     | identity     | True    | internal  | https://devel-api.9rum.cc:5000/v3  |
  | 5dbc177b7c4644dea1f0f08255e383e3 | kfield-devel | keystone     | identity     | True    | internal  | https://devel-api.9rum.cc:5000/v3  |
  | 7e65f96540634503a9b3fcebbdbf42d8 | devel-r2     | keystone     | identity     | True    | admin     | https://devel-api.9rum.cc:35357/v3 |
  | ba9f88fde4b143a791791454b72c229d | devel-r2     | keystone     | identity     | True    | public    | https://devel-api.9rum.cc:5000/v3  |
  | c9cf3f1f28144b73bf3e161644b269ae | kfield-devel | keystone     | identity     | True    | admin     | https://devel-api.9rum.cc:35357/v3 |
  | dc55bd5100374540b39cb4ccbef7f2ab | kfield-devel | keystone     | identity     | True    | public    | https://devel-api.9rum.cc:5000/v3  |
  +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+
  ```
   
  in this case, if 'kfield-devel' region is returned for service_regions, other resources(projects..) are no longer accessible since user does not have 'devel-r2' region at all. At the login time, user only have 'kfield-devel' so unauthorized permission error blocks further progress.

  So, I think providing 'OPENSTACK_ENDPOINT_REGION' for specify login
  region, operator can specify a region for identity service which is
  also available to access other resources.

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1814043/+subscriptions