yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93913
[Bug 2054799] Re: [SRU] Issue with Project administration at Cloud Admin level
** Also affects: horizon (Ubuntu)
Importance: Undecided
Status: New
** Also affects: horizon (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: horizon (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: horizon (Ubuntu Mantic)
Importance: Undecided
Status: New
** Also affects: cloud-archive/bobcat
Importance: Undecided
Status: New
** Also affects: cloud-archive/zed
Importance: Undecided
Status: New
** Also affects: cloud-archive/antelope
Importance: Undecided
Status: New
** Also affects: cloud-archive/caracal
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2054799
Title:
[SRU] Issue with Project administration at Cloud Admin level
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive antelope series:
New
Status in Ubuntu Cloud Archive bobcat series:
New
Status in Ubuntu Cloud Archive caracal series:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in Ubuntu Cloud Archive zed series:
New
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in horizon package in Ubuntu:
New
Status in horizon source package in Jammy:
New
Status in horizon source package in Mantic:
New
Status in horizon source package in Noble:
New
Bug description:
[Impact]
We are not able to see the list of users and groups assigned to a
project in Horizon.
[Test Case]
Please refer to [Test steps] section below.
[Regression Potential]
The fix ed768ab is already in the upstream main, stable/2024.1,
stable/2023.2 branches, so it is a clean backport and might be helpful
for deployments using dashboard.
[Others]
Original Bug Description Below
===========
We are not able to see the list of users assigned to a project in Horizon.
Scenario:
- Log in as Cloud Admin
- Set Domain Context (k8s)
- Go to projects section
- Click on project Permissions_Roles_Test
- Go to Users
Expectation: Get a table with the users assigned to this project.
Result: Get an error - https://i.imgur.com/TminwUy.png
[Test steps]
1, Create an ordinary openstack test env with horizon.
2, Prepared some test data (eg: one domain k8s, one project k8s, and
one user k8s-admain with the role k8s-admin-role)
openstack domain create k8s
openstack role create k8s-admin-role
openstack project create --domain k8s k8s
openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s --names
+----------------+---------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------+---------------+-------+---------+--------+--------+-----------+
| k8s-admin-role | k8s-admin@k8s | | k8s@k8s | | | False |
+----------------+---------------+-------+---------+--------+--------+-----------+
3, Log in horizon dashboard with admin user(eg:
admin/openstack/admin_domain).
4, Click 'Identity -> Domains' to set domain context to the domain
'k8s'.
5, Click 'Identity -> Project -> k8s project -> Users'.
6, This is the result, it said 'Unable to disaply the users of this
project' - https://i.imgur.com/TminwUy.png
7, These are some logs
==> /var/log/apache2/error.log <==
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
==> /var/log/apache2/ssl_access.log <==
10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
[Some Analyses]
This action will call this function in horizon [1].
This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
Without setting domain context, this works fine.
However, if setting domain context, the project displayed is in a different domain.
The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.
From horizon's debug log, here is an example of user list:
{"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users", "previous": null}}
Here is an example of role assignment list:
{"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True", "previous": null}}
Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
because users in role assignment list don't exist in user list.
Horizon throws an error like:
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
This id is the id of a user, which is used as a key to find a user in the user list.
But user list doesn't have this id, so it fails.
[1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
[2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
[3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
[4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2054799/+subscriptions
References