[SRU] application credentials created via Horizon with the admin project scope have project_id == None
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Committed
|
Undecided
|
Rodrigo Barbieri | ||
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Released
|
Undecided
|
Unassigned | ||
Victoria |
Fix Released
|
Undecided
|
Unassigned | ||
Wallaby |
Fix Released
|
Undecided
|
Unassigned | ||
Xena |
Fix Released
|
Undecided
|
Unassigned | ||
Yoga |
Fix Released
|
Undecided
|
Unassigned | ||
Zed |
Fix Released
|
Undecided
|
Unassigned | ||
horizon (Ubuntu) |
Fix Released
|
Undecided
|
Rodrigo Barbieri | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
=======
SRU template below:
[Impact]
Users with SAML WEBSSO authentication may be unable to use the OpenStack CLI due to a combination of 2 reasons:
1) Inability to use an existing Keystone authentication protocol if their AD provider does not a SOAP endpoint
2) Inability to create proper application credentials through Horizon when they have domain+project admin roles, because the scopeless domain token is used when authenticating with Keystone
Due to being unable to use the CLI, many Cloud management operations are out of reach, as they are not available in Horizon. This SRU addresses cause (2) listed above by forcing a scoped token ONLY in the application credential create request.
The problem, however, also affects regular keystone users when they have domain+project admin roles, but Keystone users have no issues using the CLI to avoid the issue.
[Test case]
1. Setting up env
1a. Deploy environment
1b. Create a new domain d1
openstack domain create d1
1c. Create a new project p1 in domain d1
openstack project create p1 --domain d1
1d. Create a new user u1 in domain d1 and project p1
openstack user create u1 --domain d1 --project p1 --password pw
1e. Add domain + project Admin roles to user u1
openstack role add Admin --user u1 --user-domain d1 --project p1 --project-domain d1
openstack role add Admin --user u1 --user-domain d1 --domain d1
2. Reproducing the bug
2a. Login to horizon as user u1
2b. Navigate to Identity > application credentials page
2c. Create a new application credential named ac1 with default values
2d. Observe in the Horizon page list that the application credential was created without a project_id
2e. Confirm through the CLI (as user u1) that the application credential project_id is not shown in the list
openstack application credential list
3. Cleanup not necessary
4. Install the package that contains the fixed code
5. Repeat steps 2a-2e and confirm the project_id is now shown alongside the created application credential
[Regression Potential]
Given that the code adds an optional new parameter, and it is only being used when creating application credentials, only this functionality would be affected in case of a problem. Additionally, a potential problem would be in scope detection according to policy: the value is a boolean, so it is either a scoped or scopeless token forced. In case the detection fails and a scopeless token is used, the behavior is the same as the existing bug, otherwise, the behavior is the correct one.
[Other Info]
None
=======
Original bug description below:
Environment: tested with Stein from UCA (deployed via 19.04 charms).
1) login to horizon into the "admin" project;
keystone.conf:
[resource]
admin_project_
admin_project_name = admin
2) go to the "Application Credentials" tab;
3) create a credential with a unique name without specifying other parameters besides Admin and/or Member roles (auto-filled secret, no expiration);
note: project_id is retrieved from the token, it is not a field in the form
4) observe that project_id is set to None
5) encounter the following error during authentication using the application credential
TypeError: one of the hex, bytes, bytes_le, fields, or int arguments must be given
see the text file attached with a pdb log.
6) do the same via CLI and observe that project_id is specified and it is possible to log in
CLI workflow (project_id is present):
openstack application credential create --role Member --role Admin testcred
+------
| Field | Value |
+------
| description | None |
| expires_at | None |
| id | bb845e9e18634e7
| name | testcred |
| project_id | ebfc7e0457f048a
| roles | Member Admin |
| secret | zCka3asrEouKqCn
| system | None |
| unrestricted | False |
| user_id | 95067aae3e634a2
+------
Note the difference:
openstack application credential list
+------
| ID | Name | Project ID | Description | Expires At |
+------
| 344ddd902496456
| d681d11d4744421
+------
Related branches
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 157 lines (+135/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+127/-0)
debian/patches/series (+1/-0)
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 156 lines (+134/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+126/-0)
debian/patches/series (+1/-0)
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 155 lines (+133/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+125/-0)
debian/patches/series (+1/-0)
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 154 lines (+132/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+124/-0)
debian/patches/series (+1/-0)
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 153 lines (+131/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+123/-0)
debian/patches/series (+1/-0)
- Ubuntu OpenStack uploaders: Pending requested
-
Diff: 152 lines (+130/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/lp1827120.patch (+122/-0)
debian/patches/series (+1/-0)
tags: | added: sts |
description: | updated |
summary: |
- application credentials created via Horizon with the admin project scope - have project_id == None + [SRU] application credentials created via Horizon with the admin project + scope have project_id == None |
tags: | added: sts-sru-needed |
no longer affects: | keystone (Ubuntu) |
no longer affects: | keystone (Ubuntu Focal) |
no longer affects: | keystone (Ubuntu Jammy) |
no longer affects: | keystone (Ubuntu Kinetic) |
Changed in horizon: | |
status: | New → Fix Committed |
assignee: | nobody → Rodrigo Barbieri (rodrigo-barbieri2010) |
Changed in horizon (Ubuntu Focal): | |
assignee: | nobody → Rodrigo Barbieri (rodrigo-barbieri2010) |
status: | New → Fix Committed |
status: | Fix Committed → In Progress |
assignee: | Rodrigo Barbieri (rodrigo-barbieri2010) → nobody |
status: | In Progress → New |
Changed in horizon (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in cloud-archive: | |
status: | New → Fix Committed |
tags: |
added: verification-xena-needed removed: verification-xena-done |
tags: |
added: verification-xena-done removed: verification-xena-needed |
Status changed to 'Confirmed' because the bug affects multiple users.