← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2054799] Re: [SRU] Issue with Project administration at Cloud Admin level

 

This bug was fixed in the package horizon - 4:23.3.0-0ubuntu1.2

---------------
horizon (4:23.3.0-0ubuntu1.2) mantic; urgency=medium

  [ Rodrigo Barbieri ]
  * d/p/lp1728031.patch: Fix admin unable to reset user's password.
    (LP: #1728031)
  * d/p/lp2055409.patch: apply config OPENSTACK_INSTANCE_RETRIEVE_IP_ADDRESSES
    to the instance details page (LP: #2055409)

  [ Zhang Hua ]
  * d/p/lp2054799.patch: Fix Users/Groups tab list when a domain
    context is set. (LP: #2054799)

 -- Mauricio Faria de Oliveira <mfo@xxxxxxxxxxxxx>  Wed, 05 Jun 2024
11:18:36 -0300

** Changed in: horizon (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

** Changed in: horizon (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2054799

Title:
  [SRU] Issue with Project administration at Cloud Admin level

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive antelope series:
  New
Status in Ubuntu Cloud Archive bobcat series:
  New
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive yoga series:
  New
Status in Ubuntu Cloud Archive zed series:
  New
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Jammy:
  Fix Released
Status in horizon source package in Mantic:
  Fix Released
Status in horizon source package in Noble:
  Fix Released
Status in horizon source package in Oracular:
  Fix Released

Bug description:
  [Impact]

  We are not able to see the list of users and groups assigned to a
  project in Horizon.

  [Test Case]

  Please refer to [Test steps] section below.

  [Regression Potential]

  The fix ed768ab is already in the upstream main, stable/2024.1,
  stable/2023.2 branches, so it is a clean backport and might be helpful
  for deployments using dashboard.

  Regressions would likely manifest in the users/groups tabs when
  listing users.

  [Others]

  Original Bug Description Below
  ===========

  We are not able to see the list of users assigned to a project in Horizon.
  Scenario:
  - Log in as Cloud Admin
  - Set Domain Context (k8s)
  - Go to projects section
  - Click on project Permissions_Roles_Test
  - Go to Users

  Expectation: Get a table with the users assigned to this project.
  Result: Get an error - https://i.imgur.com/TminwUy.png [attached]

  [Test steps]

  1, Create an ordinary openstack test env with horizon.

  2, Prepared some test data (eg: one domain k8s, one project k8s, and
  one user k8s-admain with the role k8s-admin-role)

  openstack domain create k8s
  openstack role create k8s-admin-role
  openstack project create --domain k8s k8s
  openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
  openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
  $ openstack role assignment list --project k8s --names
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | Role           | User          | Group | Project | Domain | System | Inherited |
  +----------------+---------------+-------+---------+--------+--------+-----------+
  | k8s-admin-role | k8s-admin@k8s |       | k8s@k8s |        |        | False     |
  +----------------+---------------+-------+---------+--------+--------+-----------+

  3, Log in horizon dashboard with admin user(eg:
  admin/openstack/admin_domain).

  4, Click 'Identity -> Domains' to set domain context to the domain
  'k8s'.

  5, Click 'Identity -> Project -> k8s project -> Users'.

  6, This is the result, it said 'Unable to disaply the users of this
  project' - https://i.imgur.com/TminwUy.png

  7, These are some logs

  ==> /var/log/apache2/error.log <==
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
  ==> /var/log/apache2/ssl_access.log <==
  10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/"; "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

  [Some Analyses]

  This action will call this function in horizon [1].
  This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
  Without setting domain context, this works fine.
  However, if setting domain context, the project displayed is in a different domain.
  The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.

  From horizon's debug log, here is an example of user list:
  {"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users";, "previous": null}}

  Here is an example of role assignment list:
  {"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True";, "previous": null}}

  Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
  because users in role assignment list don't exist in user list.

  Horizon throws an error like:
  [Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'

  This id is the id of a user, which is used as a key to find a user in the user list.
  But user list doesn't have this id, so it fails.

  [1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
  [2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
  [3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
  [4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2054799/+subscriptions



References