[horizon] Stein, multi-domain, admin, can't list users, projects (maybe networks) (bug#1830782)

Alex Kavanagh alex.kavanagh at canonical.com
Thu Aug 1 11:49:30 UTC 2019 

Hi

I'm trying to resolve/solve the issue that is described in bug 183072 [1],
and I'm looking for help in how it might be resolved.  To recap the bug
quickly:

   1. horizon, multi-domain enabled.
   2. 'admin' user is in 'admin_domain' and 'admin' project
   3. Log in as that 'admin' user in 'admin_domain'.
   4. Create test domain.
   5. Set domain context to 'test' domain
   6. Create a user in the 'test' domain.
   7. Can't see that user in the user list.
   8. Do same for project; can't see the project.

In the bug comments at [2] (comment 38) I've recorded the results after
adding some debug code to keystone and horizon and came to the following
tentative conclusion:


   1. Horizon uses a domain scoped token for listing users when the domain
   context is set.  In this case that token is domain-scoped to 'admin_domain'
   2. Keystone at the stein release, due to a change introduced in [3] for
   the users (detail in [4]) filters users that are not in the domain of the
   domain scoped token.
   3. Thus, the domains for the 'test' domain are filtered out and are not
   seen in the horizon dashboard.
   4. I believe this is the same for projects.

In order to solve this, I suspect one or more of the following would need
to be done.  However, I'm not familiar enough with the horizon codebase to
know where to start.

   1. In horizon, if the user is an admin user, then don't use a
   domain-scoped token for listing users, projects, or anything else.
   2. Alternatively, obtain a domain scoped token for the domain context
   that is set.  (I'm not familiar enough with keystone to know whether it's
   possible for the admin user to get 'any' domain scoped token for any
   domain???)

Incidentally, the openstack CLI doesn't use domain scoped tokens for list
users in a domain; I don't know whether this is an appropriate approach to
take in horizon.

Thanks very much in advance.  Happy to chat on IRC if that's useful (I'm
UTC TZ).

Best regards
Alex.

[1] https://bugs.launchpad.net/openstack-bundles/+bug/1830782
[2] https://bugs.launchpad.net/openstack-bundles/+bug/1830782/comments/38
[3] https://review.opendev.org/#/c/647587/
[4] https://review.opendev.org/#/c/647587/3/keystone/api/users.py
-- 
Alex Kavanagh - Software Engineer
OpenStack Engineering - Data Centre Development - Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190801/590228ae/attachment.html>

More information about the openstack-discuss mailing list