OpenStack Dashboard (Horizon)

[SRU] Issue with Project administration at Cloud Admin level

Bug #2054799 reported by Hua Zhang
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Undecided
Hua Zhang
Ubuntu Cloud Archive
Status tracked in Caracal
Antelope
New
Undecided
Unassigned
Bobcat
New
Undecided
Unassigned
Caracal
New
Undecided
Unassigned
Yoga
New
Undecided
Unassigned
Zed
New
Undecided
Unassigned
horizon (Ubuntu)
New
Undecided
Unassigned
Jammy
New
Undecided
Unassigned
Mantic
New
Undecided
Unassigned
Noble
New
Undecided
Unassigned

Bug Description

[Impact]

We are not able to see the list of users and groups assigned to a project in Horizon.

[Test Case]

Please refer to [Test steps] section below.

[Regression Potential]

The fix ed768ab is already in the upstream main, stable/2024.1, stable/2023.2 branches, so it is a clean backport and might be helpful for deployments using dashboard.

[Others]

Original Bug Description Below
===========

We are not able to see the list of users assigned to a project in Horizon.
Scenario:
- Log in as Cloud Admin
- Set Domain Context (k8s)
- Go to projects section
- Click on project Permissions_Roles_Test
- Go to Users

Expectation: Get a table with the users assigned to this project.
Result: Get an error - https://i.imgur.com/TminwUy.png

[Test steps]

1, Create an ordinary openstack test env with horizon.

2, Prepared some test data (eg: one domain k8s, one project k8s, and one user k8s-admain with the role k8s-admin-role)

openstack domain create k8s
openstack role create k8s-admin-role
openstack project create --domain k8s k8s
openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s --names
+----------------+---------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------+---------------+-------+---------+--------+--------+-----------+
| k8s-admin-role | k8s-admin@k8s | | k8s@k8s | | | False |
+----------------+---------------+-------+---------+--------+--------+-----------+

3, Log in horizon dashboard with admin user(eg: admin/openstack/admin_domain).

4, Click 'Identity -> Domains' to set domain context to the domain 'k8s'.

5, Click 'Identity -> Project -> k8s project -> Users'.

6, This is the result, it said 'Unable to disaply the users of this project' - https://i.imgur.com/TminwUy.png

7, These are some logs

==> /var/log/apache2/error.log <==
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'
==> /var/log/apache2/ssl_access.log <==
10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET /identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users HTTP/1.1" 200 1125 "https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

[Some Analyses]

This action will call this function in horizon [1].
This function will firstly get a list of users (api.keystone.user_list) [2], then role assignment list (api.keystone.get_project_users_roles) [3].
Without setting domain context, this works fine.
However, if setting domain context, the project displayed is in a different domain.
The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.

From horizon's debug log, here is an example of user list:
{"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id": "103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at": null, "options": {}, "links": {"self": "https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/users", "previous": null}}

Here is an example of role assignment list:
{"role_assignments": [{"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id": "f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment": "https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"}, "scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user": {"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id": "b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self": "https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True", "previous": null}}

Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
because users in role assignment list don't exist in user list.

Horizon throws an error like:
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d11458b8eb9db21671c1b11'

This id is the id of a user, which is used as a key to find a user in the user list.
But user list doesn't have this id, so it fails.

[1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
[2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
[3] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
[4] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108

See original description
Tags: patch sts
Hua Zhang (zhhuabj)
description: updated
Revision history for this message
Hua Zhang (zhhuabj) wrote :

I did some analysis according the data in https://paste.openstack.org/show/bnaAKV0YXlVn088MvsFB/

1, 'users = api.keystone.user_list(self.request)' gets the user admin(3436fc62a232444597496d57e5f4b5fc)

2, 'project_users_roles = api.keystone.get_project_users_roles(self.request, project=project_id)' gets

defaultdict(<class 'list'>, {'e900b8934d11458b8eb9db21671c1b11': ['a6ab948d1f7947a98e2363f14af10fbb']})

# openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| a6ab948d1f7947a98e2363f14af10fbb | e900b8934d11458b8eb9db21671c1b11 | | 07123041ee0544e0ab32e50dde780afd | | | False |
 +----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
$ openstack role list |grep k8s
| a6ab948d1f7947a98e2363f14af10fbb | k8s-admin-role |

3, the user e900b8934d11458b8eb9db21671c1b11 (k8s-admin) is in the domain k8s

$ openstack user list --domain k8s
+----------------------------------+-----------+
| ID | Name |
 +----------------------------------+-----------+
| e900b8934d11458b8eb9db21671c1b11 | k8s-admin |
 +----------------------------------+-----------+

not in the default domain

$ openstack user list
+----------------------------------+----------+
| ID | Name |
 +----------------------------------+----------+
| 3436fc62a232444597496d57e5f4b5fc | admin |
| 7413f0a568fb41409e93c3179c9f8a50 | demo |
| 2dcabd8e53e0424a8974c7948268868d | alt_demo |
 +----------------------------------+----------+

$ env |grep OS_
OS_PASSWORD=openstack
OS_IDENTITY_API_VERSION=3
OS_USER_DOMAIN_NAME=admin_domain
OS_REGION_NAME=RegionOne
OS_AUTH_URL=https://10.5.1.174:5000/v3
OS_PROJECT_DOMAIN_NAME=admin_domain
OS_AUTH_PROTOCOL=https
OS_USERNAME=admin
OS_AUTH_TYPE=password
OS_PROJECT_NAME=admin

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/910321

Changed in horizon:
status: New → In Progress
Revision history for this message
Hua Zhang (zhhuabj) wrote : Re: Issue with Project administration at Cloud Admin level

Groups tab of project also has the same problem - https://imgur.com/M8c4iTd
After applying for the patch - https://i.imgur.com/JHuNQ1J

Here are my steps to create test group.

openstack group create k8s-group1 --domain k8s
openstack group add user --group-domain k8s --user-domain k8s k8s-group1 k8s-admin
openstack role add --group k8s-group1 --group-domain k8s --project k8s k8s-admin-role

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/910321
Committed: https://opendev.org/openstack/horizon/commit/ed768ab5071307ee15f95636ea548050cb894f9e
Submitter: "Zuul (22348)"
Branch: master

commit ed768ab5071307ee15f95636ea548050cb894f9e
Author: Zhang Hua <email address hidden>
Date: Tue Feb 27 15:26:28 2024 +0800

    Fix Users/Groups tab list when a domain context is set

    The list of users assigned to a project becomes invisible when a domain context
    is set in Horizon. If a domain context is set, the user list call should
    provide a list of users within the specified domain context, rather than users
    within the user's own domain.

    Groups tab of project also has the same problem.

    Change-Id: Ia778317acc41fe589765e6cd04c7fe8cad2360ab
    Closes-Bug: #2054799

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/horizon/+/916093

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/horizon/+/916094

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/horizon/+/916095

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/916096

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (unmaintained/yoga)

Fix proposed to branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/916097

Hua Zhang (zhhuabj)
Changed in horizon:
assignee: nobody → Hua Zhang (zhhuabj)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/916093
Committed: https://opendev.org/openstack/horizon/commit/4936fec3a7a2cc5494d4c2c2d6c202f10366c6f2
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 4936fec3a7a2cc5494d4c2c2d6c202f10366c6f2
Author: Zhang Hua <email address hidden>
Date: Tue Feb 27 15:26:28 2024 +0800

    Fix Users/Groups tab list when a domain context is set

    The list of users assigned to a project becomes invisible when a domain context
    is set in Horizon. If a domain context is set, the user list call should
    provide a list of users within the specified domain context, rather than users
    within the user's own domain.

    Groups tab of project also has the same problem.

    Change-Id: Ia778317acc41fe589765e6cd04c7fe8cad2360ab
    Closes-Bug: #2054799
    (cherry picked from commit ed768ab5071307ee15f95636ea548050cb894f9e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/916094
Committed: https://opendev.org/openstack/horizon/commit/593ef9b56191676d0a85b55bd152c0c757fad2de
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 593ef9b56191676d0a85b55bd152c0c757fad2de
Author: Zhang Hua <email address hidden>
Date: Tue Feb 27 15:26:28 2024 +0800

    Fix Users/Groups tab list when a domain context is set

    The list of users assigned to a project becomes invisible when a domain context
    is set in Horizon. If a domain context is set, the user list call should
    provide a list of users within the specified domain context, rather than users
    within the user's own domain.

    Groups tab of project also has the same problem.

    Change-Id: Ia778317acc41fe589765e6cd04c7fe8cad2360ab
    Closes-Bug: #2054799
    (cherry picked from commit ed768ab5071307ee15f95636ea548050cb894f9e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (unmaintained/yoga)

Change abandoned by "Zhang Hua <email address hidden>" on branch: unmaintained/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/916097
Reason: we are hitting a bandit bug that was fixed in newer branches

Revision history for this message
Hua Zhang (zhhuabj) wrote :
description: updated
summary: - Issue with Project administration at Cloud Admin level
+ [SRU] Issue with Project administration at Cloud Admin level
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (stable/zed)

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/916096
Reason: stable/zed branch of openstack/horizon is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/zed if you want to further work on this patch.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "jammy.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Hua Zhang (zhhuabj) wrote :
Revision history for this message
Hua Zhang (zhhuabj) wrote :
Seyeong Kim (seyeongkim)
tags: added: sts
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.