← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94025

[Bug 2067075] [NEW] Horizon Identity Domain Panel is broken in Caracal+

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Starting with Caracal release, Identity Domains Panel is broken, as it
only ever lists that domain that the user belongs to.

Devstack/Master, logged as admin (devstack-admin creds in
/etc/openstack/clouds.yaml).

With default Horizon settings, I only ever see Default domain, even if I
manually create some more. And I do not have an option to create domains
from UI as well. This is because AFAIU the ability to create domains is
tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which
is waaay legacy IMO. This option is quite overloaded in Horizon code,
but that's a different question.

When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
local_settings.py, I can create domains from UI, but I still can not see
any other domain other than the domain of the user.

I tracked it to this piece of code that replaces the scope to the domain one for admins
https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

** Affects: horizon
     Importance: Undecided
         Status: New

** Summary changed:

- Horizon Identity Domain Panel is broken with new Keystone policies
+ Horizon Identity Domain Panel is broken in Caracal+

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2067075

Title:
  Horizon Identity Domain Panel is broken in Caracal+

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Starting with Caracal release, Identity Domains Panel is broken, as it
  only ever lists that domain that the user belongs to.

  Devstack/Master, logged as admin (devstack-admin creds in
  /etc/openstack/clouds.yaml).

  With default Horizon settings, I only ever see Default domain, even if
  I manually create some more. And I do not have an option to create
  domains from UI as well. This is because AFAIU the ability to create
  domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by
  default), which is waaay legacy IMO. This option is quite overloaded
  in Horizon code, but that's a different question.

  When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
  local_settings.py, I can create domains from UI, but I still can not
  see any other domain other than the domain of the user.

  I tracked it to this piece of code that replaces the scope to the domain one for admins
  https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
  plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2067075/+subscriptions
  Thread PreviousDate PreviousThread Next