Mirantis OpenStack

Horizon revokes admin role from user if cannot get user_list

Bug #1505200 reported by Paul Karikh on 2015-10-12

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Won't Fix	High	Nikita Konovalov	Mirantis OpenStack 10.0
7.0.x	Won't Fix	High	Nikita Konovalov	Mirantis OpenStack 7.0-updates
8.0.x	Won't Fix	High	Unassigned	Mirantis OpenStack 8.0
9.x	Won't Fix	High	Unassigned	Mirantis OpenStack 9.0

Bug Description

1) Deploy Horizon with users storing in LDAP
2) Create a lot of users in LDAP so Keystone couldn't return user_list
3) Go to identity/projects and try to update quotas for project where you have admin role

Sometimes you get message 'You cannot revoke your administrative privileges from the project you are currently logged into.' and sometimes you will lose your admin role.

MOS 7.0

Tags:

Paul Karikh (pkarikh) on 2015-10-13

tags:	added: horizon
Changed in mos:
milestone:	none → 8.0
importance:	Undecided → Medium

Timur Sufiev (tsufiev-x) on 2015-10-13

Changed in mos:
importance:	Medium → High

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-10-13:

This is not directly keystone's issue. Yes, keystone should not fail to return a list with many users, but Horizon should not drop roles if the list could not be retrieved. If you try to fetch a long list of users via cli, no roles are revoked.

Revision history for this message

Paul Karikh (pkarikh) wrote on 2015-10-23:

Upstream patch is here: https://review.openstack.org/#/c/237615/

Revision history for this message

Paul Karikh (pkarikh) wrote on 2015-11-10:

Also here is Keystone patch which should help us to fix (or workaround, at least) this problem:
https://review.openstack.org/#/c/234849/

Revision history for this message

Paul Karikh (pkarikh) wrote on 2015-11-16:

Horizon patch is on hold since we are wating for Keystone filtering/limiting patch. After it we are going to update Horizon patch in accordance with Keystone patch.

Revision history for this message

Paul Karikh (pkarikh) wrote on 2015-12-01:

We decided to use another approach. Now we want to use Keystone truncated functionality and api filtering to solve this problem. I belive this bug will be mostly covered with the patches for this bug: https://bugs.launchpad.net/mos/+bug/1494806

Paul Karikh (pkarikh) on 2016-01-12

Changed in mos:
milestone:	8.0 → 9.0

Roman Podoliaka (rpodolyaka) on 2016-02-17

tags:	added: area-horizon removed: horizon
tags:	added: release-notes

Olga Gusarenko (ogusarenko) on 2016-02-25

tags:

added: 8.0 release-notes-done
removed: release-notes

Revision history for this message

Paul Karikh (pkarikh) wrote on 2016-03-14:

Fix for this issue requires another patch for python-keystone client and according to Boris Bobrov who is author of this patch, there is no chances to get this fix for 9.0.
So we should to move this bug to 10.0.

Timur Sufiev (tsufiev-x) on 2016-03-14

Changed in mos:
milestone:	9.0 → 10.0

Revision history for this message

Dina Belova (dbelova) wrote on 2016-04-01:

Added move-to-10.0 tag to show this was moved to 10.0 from 9.0

tags:

added: move-to-10.0

Revision history for this message

Timur Sufiev (tsufiev-x) wrote on 2016-07-07:

Added 10.0-reviewed tag since the bugfix relies on keystoneclient feature that will be implemented no earlier than in Newton.

tags:

added: 10.0-reviewed

Revision history for this message

Timur Sufiev (tsufiev-x) wrote on 2016-11-24:

Horizon fix/feature is still waiting for the required changes in python-keystoneclient. Reassigning to Boris Bobrov, as he has more context to track the progress of Keystone-side changes.

Changed in mos:
assignee:	Paul Karikh (pkarikh) → Boris Bobrov (bbobrov)

Boris Bobrov (bbobrov) on 2017-03-06

Changed in mos:
assignee:	Boris Bobrov (bbobrov) → nobody

Vitaly Sedelnik (vsedelnik) on 2017-03-10

Changed in mos:
assignee:	nobody → Nikita Konovalov (nkonovalov)
no longer affects:	mos/10.0.x

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2017-11-16:

#10

We no longer support MOS5.1, MOS6.0, MOS6.1
We deliver only Critical/Security fixes to MOS7.0, MOS8.0.
We deliver only High/Critical/Security fixes to MOS9.2.