OpenStack Dashboard (Horizon)

application credentials "project ID" field is empty using SSO

Bug #1809267 reported by varocho
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned

Bug Description

Hi

We found this issue testing the new application credential feature from Rocky dashboard. Our external user are using a SSO to get access to openstack, they are mapped correctly to an internal project. Unfortunately when they request a new application credential the "project ID" field is empty so they get this error message when they try to use the credential from the client:

$ openstack application credential list
need one of hex, bytes, bytes_le, fields, or int (HTTP 400) (Request-ID: req-12f90f0f-319f-4b42-895a-a921f274d9ac)

As admin the user's app credential looks like this:

# openstack application credential list --user bb762ad156de46f6888bf2ae1001cade
+----------------------------------+-----------------+------------+--------------------------------------------------+----------------------------+
| ID | Name | Project ID | Description | Expires At |
+----------------------------------+-----------------+------------+--------------------------------------------------+----------------------------+
| a7300cb1848341188c408a5cb9069b1b | myappcredential | None | This is a app credential test valid for a month. | 2019-01-31T18:00:00.000000 |
+----------------------------------+-----------------+------------+--------------------------------------------------+----------------------------+

Any clue why we get a null Project ID using a SSO?

Cheers ant thanks!
Alvaro

Revision history for this message
Stijn De WEirdt (stdweird) wrote :

After some more debugging the issue seems to come from lack of project scoped token that horizon uses.
I'm not sure that when using SSO, you should get a project scoped token when working with horizon, but in our case it seems we don't have one, and calling the keystone application_credential create with an unscoped token, gives you an unscoped application token, which is useless.

fix is either to use project scoped token in horizon when using SSO; or when the application_credential create is called, to get one and use the new scoped token to create the credential.

Revision history for this message
Stijn De WEirdt (stdweird) wrote :

after a lot of debbuging it was an issue with multidomain support being enabled.
when it is enabled, the api.keystoneclient overrides the user token with a domain token.
the user token has project scope, but the domain token does not; and thus application credential will (always?) fail

Akihiro Motoki (amotoki)
summary: - application credentials "projec ID" field is empty using SSO
+ application credentials "project ID" field is empty using SSO
tags: added: keystone
Revision history for this message
Xav Paice (xavpaice) wrote :

Just a note, we're seeing this still on a cloud running Stein, when logged in as a user from an LDAP domain.

tags: added: canonical-bootstack
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.