Public bug reported:
When Horizon is setted up with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT =
True, user will not be to access identity/users and identity/groups with
Unauthorized error, which in turn makes Horizon logout user.
Horizon fills domain name before sending request to Keystone the following way:
domain_context = self.request.session.get('domain_context', None)
But there is no `domain_context variable` in the session, so will be set
to None. And domain=None will be send to the keystone with line
users = api.keystone.user_list(self.request, domain=domain_context)
which is present in all identity dashboard views (users, projects, groups,
domains and NOT roles).
For example:
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50
It look like if we change the code to
users =
api.keystone.user_list(self.request,domain=self.request.user.user_domain_name)
everything will be ok.
It is strange that identity/users does not work without correct domain, and
identity/progects do, because they both send request to keystone without
correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no
domains in the v2 keystone, so no domain - no problems).
After pushing "SetDomainContext" button in the identity/domains,
everything works fine.
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1495472
Title:
Horizon forbids user access to identity users/groups with
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True
Status in OpenStack Dashboard (Horizon):
New
Bug description:
When Horizon is setted up with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
= True, user will not be to access identity/users and identity/groups
with Unauthorized error, which in turn makes Horizon logout user.
Horizon fills domain name before sending request to Keystone the following
way:
domain_context = self.request.session.get('domain_context', None)
But there is no `domain_context variable` in the session, so will be
set to None. And domain=None will be send to the keystone with line
users = api.keystone.user_list(self.request, domain=domain_context)
which is present in all identity dashboard views (users, projects, groups,
domains and NOT roles).
For example:
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50
It look like if we change the code to
users =
api.keystone.user_list(self.request,domain=self.request.user.user_domain_name)
everything will be ok.
It is strange that identity/users does not work without correct domain, and
identity/progects do, because they both send request to keystone without
correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no
domains in the v2 keystone, so no domain - no problems).
After pushing "SetDomainContext" button in the identity/domains,
everything works fine.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1495472/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
