Horizon forbids user access to identity users/groups with OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
High
|
Paul Karikh | ||
7.0.x |
Won't Fix
|
High
|
MOS Horizon | ||
8.0.x |
Invalid
|
High
|
Paul Karikh |
Bug Description
When Horizon is setted up with OPENSTACK_
Horizon fills domain name before sending request to Keystone the following way:
domain_context = self.request.
But there is no domain_context variable in the session, so will be set to None. And domain=None will be send to the keystone with line
users = api.keystone.
which is present in all identity dashboard views (users, projects, groups, domains and NOT roles).
For example: https:/
It look like if we change the code to
users = api.keystone.
It is strange that identity/users does not work without correct domain, and identity/progects do, because they both send request to keystone without correctly setted domain.
And it looks like this problem only occurs with keystone v3 (there is no domains in the v2 keystone, so no domain - no problems).
/var/log/
2015-09-10 09:38:38,139 31643 INFO openstack_
2015-09-10 09:38:38,369 31642 ERROR horizon.exceptions Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-cb648ef6-
Traceback (most recent call last):
File "/usr/share/
domain=
File "/usr/share/
users = keystoneclient(
File "/usr/lib/
return func(*args, **kwargs)
File "/usr/lib/
**kwargs)
File "/usr/lib/
return f(*args, **new_kwargs)
File "/usr/lib/
self.
File "/usr/lib/
resp, body = self.client.
File "/usr/lib/
return self.request(url, 'GET', **kwargs)
File "/usr/lib/
resp = super(LegacyJso
File "/usr/lib/
return self.session.
File "/usr/lib/
return func(*args, **kwargs)
File "/usr/lib/
raise exceptions.
Versions:
MOS 7.0
django-
python-
"build_id": "2015-08-
Upstream bug: https:/
tags: | added: horizon |
description: | updated |
summary: |
- Horizon forbids user access to identity users when LDAP has >10K users + Horizon forbids user access to identity users/groups with keystone v3 |
description: | updated |
description: | updated |
summary: |
- Horizon forbids user access to identity users/groups with keystone v3 + Horizon forbids user access to identity users/groups with + OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT |
summary: |
Horizon forbids user access to identity users/groups with - OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT + OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT=True |
description: | updated |
description: | updated |
Medium as it's not clear of this issue blocks some functionality otherwise it should be raised to High.