Mirantis OpenStack

Horizon forbids user access to identity users/groups with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True

Bug #1494261 reported by Paul Karikh
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Invalid
High
Paul Karikh
Mirantis OpenStack 8.0
7.0.x
Won't Fix
High
MOS Horizon
Mirantis OpenStack 7.0-updates
8.0.x
Invalid
High
Paul Karikh
Mirantis OpenStack 8.0

Bug Description

When Horizon is setted up with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True, user will not be to access identity/users and identity/groups with Unauthorized error, which in turn makes Horizon logout user.

Horizon fills domain name before sending request to Keystone the following way:
domain_context = self.request.session.get('domain_context', None)

But there is no domain_context variable in the session, so will be set to None. And domain=None will be send to the keystone with line

users = api.keystone.user_list(self.request, domain=domain_context)

which is present in all identity dashboard views (users, projects, groups, domains and NOT roles).
For example: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50

It look like if we change the code to
users = api.keystone.user_list(self.request,domain=self.request.user.user_domain_name) everything will be ok.

It is strange that identity/users does not work without correct domain, and identity/progects do, because they both send request to keystone without correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no domains in the v2 keystone, so no domain - no problems).

/var/log/horizon/horizon.log has the following traces:

2015-09-10 09:38:38,139 31643 INFO openstack_auth.forms Login successful for user "admin".
2015-09-10 09:38:38,369 31642 ERROR horizon.exceptions Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-cb648ef6-94a5-4382-9a8b-3826bd9a81c9)
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/identity/users/views.py", line 55, in get_data
    domain=domain_context)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 310, in user_list
    users = keystoneclient(request, admin=True).users.list(**kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v3/users.py", line 108, in list
    **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 73, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 361, in list
    self.collection_key)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 113, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/utils.py", line 318, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 397, in request
    raise exceptions.from_response(resp, method, url)

Versions:
MOS 7.0
django-openstack-auth==1.2.0
python-keystoneclient==1.3.1
"build_id": "2015-08-30_09-35-52", "build_number": "256",

Upstream bug: https://bugs.launchpad.net/django-openstack-auth/+bug/1338986

See original description
Tags: horizon
Paul Karikh (pkarikh)
tags: added: horizon
description: updated
Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Medium as it's not clear of this issue blocks some functionality otherwise it should be raised to High.

Changed in mos:
assignee: nobody → MOS Keystone (mos-keystone)
milestone: none → 8.0
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Paul Karikh (pkarikh) wrote :

Looks like the root of the problem is not an LDAP and 10K users.
Horizon fills domain name before sending request to Keystone the following way:
domain_context = self.request.session.get('domain_context', None)

But there is no domain_context variable in the session, so will be set to None. And domain=None will be send to the keystone with line

users = api.keystone.user_list(self.request, domain=domain_context)

which is present in all identity dashboard views (users, projects, groups, domains and NOT roles).
For example: https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/users/views.py#L50

It look like if we change the code to
users = api.keystone.user_list(self.request,domain=self.request.user.user_domain_name) everything will be ok.

It is strange that identity/users does not work without correct domain, and identity/progects do, because they both send request to keystone without correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no domains in the v2 keystone, so no domain - no problems).

Paul Karikh (pkarikh)
summary: - Horizon forbids user access to identity users when LDAP has >10K users
+ Horizon forbids user access to identity users/groups with keystone v3
description: updated
Paul Karikh (pkarikh)
description: updated
summary: - Horizon forbids user access to identity users/groups with keystone v3
+ Horizon forbids user access to identity users/groups with
+ OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
summary: Horizon forbids user access to identity users/groups with
- OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
+ OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True
Paul Karikh (pkarikh)
description: updated
Timur Sufiev (tsufiev-x)
description: updated
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Tried to reproduce the bug on:
* MOS 7.0 release environment + local Horizon from master
* MOS 7.0 release environment + local Horizon from MOS 7.0 branch

Failed both times - even with domain_context equal to None all kinds of Keystone entities are fetched w/o errors (once I open Keystone admin interface in haproxy configs on controller node). Setting to Incomplete until further results.

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

1 month without updates, closing as Invalid

Revision history for this message
Andrey Grebennikov (agrebennikov) wrote :

Right now I have the environment with MOS 7.0 which shows same behaviour. Additional domain contains just 10 users.

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

MOS Horizon, could you please work together with Andrey on this?

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

We no longer support MOS5.1, MOS6.0, MOS6.1
We deliver only Critical/Security fixes to MOS7.0, MOS8.0.
We deliver only High/Critical/Security fixes to MOS9.2.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.