← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2054799] [NEW] Issue with Project administration at Cloud Admin level

 

Public bug reported:

We are not able to see the list of users assigned to a project in Horizon.
Scenario:
- Log in as Cloud Admin
- Set Domain Context (k8s)
- Go to projects section
- Click on project Permissions_Roles_Test
- Go to Users

Expectation: Get a table with the users assigned to this project.
Result: Get an error - https://i.imgur.com/TminwUy.png


[Test steps]

1, Create an ordinary openstack test env with horizon.

2, Prepared some test data (eg: one domain k8s, one project k8s, and one
user k8s-admain with the role k8s-admin-role)

openstack domain create k8s
openstack role create k8s-admin-role
openstack project create --domain k8s k8s
openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s --names
+----------------+---------------+-------+---------+--------+--------+-----------+
| Role           | User          | Group | Project | Domain | System | Inherited |
+----------------+---------------+-------+---------+--------+--------+-----------+
| k8s-admin-role | k8s-admin@k8s |       | k8s@k8s |        |        | False     |
+----------------+---------------+-------+---------+--------+--------+-----------+

3, Log in horizon dashboard with admin user(eg:
admin/openstack/admin_domain).

4, Click 'Identity -> Domains' to set domain context to the domain
'k8s'.

5, Click 'Identity -> Project -> k8s project -> Users'.

6, This is the result, it said 'Unable to disaply the users of this
project' - https://i.imgur.com/TminwUy.png

7, These are some logs

==> /var/log/apache2/error.log <==
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
==> /var/log/apache2/ssl_access.log <==
10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"


[Some Analyses]

This action will call this function in horizon [1].
This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
Without setting domain context, this works fine.
However, if setting domain context, the project displayed is in a different domain.
The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.

>From horizon's debug log, here is an example of user list:
{"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users";, "previous": null}}

Here is an example of role assignment list:
{"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True";, "previous": null}}

Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
because users in role assignment list don't exist in user list.

Horizon throws an error like:
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'

This id is the id of a user, which is used as a key to find a user in the user list.
But user list doesn't have this id, so it fails.

[1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
[2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
[3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
[4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108

** Affects: horizon
     Importance: Undecided
         Status: New

** Description changed:

  We are not able to see the list of users assigned to a project in Horizon.
  Scenario:
  - Log in as Cloud Admin
  - Set Domain Context (k8s)
  - Go to projects section
  - Click on project Permissions_Roles_Test
  - Go to Users
  
  Expectation: Get a table with the users assigned to this project.
- Result: Get an error (see attached image).
+ Result: Get an error - https://i.imgur.com/TminwUy.png
  
- Test steps:
+ 
+ [Test steps]
  
  1, Create an ordinary openstack test env with horizon.
  
  2, Prepared some test data (eg: one domain k8s, one project k8s, and one
  user k8s-admain with the role k8s-admin-role)
  
  openstack domain create k8s
  openstack role create k8s-admin-role
  openstack project create --domain k8s k8s
  openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
  openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
  $ openstack role assignment list --project k8s --names
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | Role           | User          | Group | Project | Domain | System | Inherited |
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | k8s-admin-role | k8s-admin@k8s |       | k8s@k8s |        |        | False     |
  +----------------+---------------+-------+---------+--------+--------+-----------+
  
  3, Log in horizon dashboard with admin user(eg:
  admin/openstack/admin_domain).
  
  4, Click 'Identity -> Domains' to set domain context to the domain
  'k8s'.
  
  5, Click 'Identity -> Project -> k8s project -> Users'.
  
  6, This is the result, it said 'Unable to disaply the users of this
  project' - https://i.imgur.com/TminwUy.png
  
  7, These are some logs
  
  ==> /var/log/apache2/error.log <==
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
  ==> /var/log/apache2/ssl_access.log <==
  10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
  
- Some Analyses
+ 
+ [Some Analyses]
  
  This action will call this function in horizon [1].
  This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
  Without setting domain context, this works fine.
  However, if setting domain context, the project displayed is in a different domain.
  The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.
  
  From horizon's debug log, here is an example of user list:
  {"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users";, "previous": null}}
  
  Here is an example of role assignment list:
  {"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True";, "previous": null}}
  
  Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
  because users in role assignment list don't exist in user list.
  
  Horizon throws an error like:
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
  
  This id is the id of a user, which is used as a key to find a user in the user list.
  But user list doesn't have this id, so it fails.
  
  [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
  [2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
  [3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
  [4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2054799

Title:
  Issue with Project administration at Cloud Admin level

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  We are not able to see the list of users assigned to a project in Horizon.
  Scenario:
  - Log in as Cloud Admin
  - Set Domain Context (k8s)
  - Go to projects section
  - Click on project Permissions_Roles_Test
  - Go to Users

  Expectation: Get a table with the users assigned to this project.
  Result: Get an error - https://i.imgur.com/TminwUy.png

  
  [Test steps]

  1, Create an ordinary openstack test env with horizon.

  2, Prepared some test data (eg: one domain k8s, one project k8s, and
  one user k8s-admain with the role k8s-admin-role)

  openstack domain create k8s
  openstack role create k8s-admin-role
  openstack project create --domain k8s k8s
  openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
  openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
  $ openstack role assignment list --project k8s --names
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | Role           | User          | Group | Project | Domain | System | Inherited |
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | k8s-admin-role | k8s-admin@k8s |       | k8s@k8s |        |        | False     |
  +----------------+---------------+-------+---------+--------+--------+-----------+

  3, Log in horizon dashboard with admin user(eg:
  admin/openstack/admin_domain).

  4, Click 'Identity -> Domains' to set domain context to the domain
  'k8s'.

  5, Click 'Identity -> Project -> k8s project -> Users'.

  6, This is the result, it said 'Unable to disaply the users of this
  project' - https://i.imgur.com/TminwUy.png

  7, These are some logs

  ==> /var/log/apache2/error.log <==
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
  ==> /var/log/apache2/ssl_access.log <==
  10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

  
  [Some Analyses]

  This action will call this function in horizon [1].
  This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
  Without setting domain context, this works fine.
  However, if setting domain context, the project displayed is in a different domain.
  The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.

  From horizon's debug log, here is an example of user list:
  {"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users";, "previous": null}}

  Here is an example of role assignment list:
  {"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True";, "previous": null}}

  Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
  because users in role assignment list don't exist in user list.

  Horizon throws an error like:
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'

  This id is the id of a user, which is used as a key to find a user in the user list.
  But user list doesn't have this id, so it fails.

  [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
  [2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
  [3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
  [4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2054799/+subscriptions



Follow ups