[SRU] Issue with Project administration at Cloud Admin level
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Hua Zhang | |||
Ubuntu Cloud Archive | Status tracked in Caracal | |||||
Antelope |
New
|
Undecided
|
Unassigned | |||
Bobcat |
Fix Released
|
Undecided
|
Unassigned | |||
Caracal |
Fix Committed
|
Undecided
|
Unassigned | |||
Yoga |
Fix Released
|
Undecided
|
Unassigned | |||
Zed |
Won't Fix
|
Undecided
|
Unassigned | |||
horizon (Ubuntu) | Status tracked in Oracular | |||||
Jammy |
Fix Released
|
Medium
|
Hua Zhang | |||
Mantic |
Fix Released
|
Medium
|
Hua Zhang | |||
Noble |
Fix Released
|
Medium
|
Mauricio Faria de Oliveira | |||
Oracular |
Fix Released
|
Medium
|
Mauricio Faria de Oliveira |
Bug Description
[Impact]
We are not able to see the list of users and groups assigned to a project in Horizon.
[Test Case]
Please refer to [Test steps] section below.
[Regression Potential]
The fix ed768ab is already in the upstream main, stable/2024.1, stable/2023.2 branches, so it is a clean backport and might be helpful for deployments using dashboard.
Regressions would likely manifest in the users/groups tabs when listing users.
[Others]
Original Bug Description Below
===========
We are not able to see the list of users assigned to a project in Horizon.
Scenario:
- Log in as Cloud Admin
- Set Domain Context (k8s)
- Go to projects section
- Click on project Permissions_
- Go to Users
Expectation: Get a table with the users assigned to this project.
Result: Get an error - https:/
[Test steps]
1, Create an ordinary openstack test env with horizon.
2, Prepared some test data (eg: one domain k8s, one project k8s, and one user k8s-admain with the role k8s-admin-role)
openstack domain create k8s
openstack role create k8s-admin-role
openstack project create --domain k8s k8s
openstack user create --project-domain k8s --project k8s --domain k8s --password password k8s-admin
openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s --names
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| k8s-admin-role | k8s-admin@k8s | | k8s@k8s | | | False |
+------
3, Log in horizon dashboard with admin user(eg: admin/openstack
4, Click 'Identity -> Domains' to set domain context to the domain 'k8s'.
5, Click 'Identity -> Project -> k8s project -> Users'.
6, This is the result, it said 'Unable to disaply the users of this project' - https:/
7, These are some logs
==> /var/log/
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d1145
==> /var/log/
10.5.3.120 - - [23/Feb/
[Some Analyses]
This action will call this function in horizon [1].
This function will firstly get a list of users (api.keystone.
Without setting domain context, this works fine.
However, if setting domain context, the project displayed is in a different domain.
The user list from [2] only contains users of the user's own domain, while the role assignment list [3] includes users in another domain since the project is in another domain.
From horizon's debug log, here is an example of user list:
{"users": [{"email": "juju@localhost", "id": "8cd8f92ac2f941
Here is an example of role assignment list:
{"role_
Then later in the horizon function, it tries to get user details from user list for users in role assignment list [4], and fails,
because users in role assignment list don't exist in user list.
Horizon throws an error like:
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid 140254008985152] [remote 10.5.3.120:58978] Recoverable error: 'e900b8934d1145
This id is the id of a user, which is used as a key to find a user in the user list.
But user list doesn't have this id, so it fails.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
description: | updated |
Changed in horizon: | |
assignee: | nobody → Hua Zhang (zhhuabj) |
tags: | added: sts |
description: | updated |
tags: |
added: verification-caracal-done removed: verification-caracal-needed |
I did some analysis according the data in https:/ /paste. openstack. org/show/ bnaAKV0YXlVn088 MvsFB/
1, 'users = api.keystone. user_list( self.request) ' gets the user admin(3436fc62a 232444597496d57 e5f4b5fc)
2, 'project_ users_roles = api.keystone. get_project_ users_roles( self.request, project= project_ id)' gets
defaultdict(<class 'list'>, {'e900b8934d114 58b8eb9db21671c 1b11': ['a6ab948d1f794 7a98e2363f14af1 0fbb']} )
# openstack role add --user k8s-admin --user-domain k8s --project k8s --project-domain k8s k8s-admin-role ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ---+--- -----+- ------- ---+ ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ---+--- -----+- ------- ---+ 98e2363f14af10f bb | e900b8934d11458 b8eb9db21671c1b 11 | | 07123041ee0544e 0ab32e50dde780a fd | | | False | ------- ------- ------- ------- +------ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ---+--- -----+- ------- ---+ 98e2363f14af10f bb | k8s-admin-role |
$ openstack role assignment list --project k8s
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| a6ab948d1f7947a
+------
$ openstack role list |grep k8s
| a6ab948d1f7947a
3, the user e900b8934d11458 b8eb9db21671c1b 11 (k8s-admin) is in the domain k8s
$ openstack user list --domain k8s ------- ------- ------- ------- +------ -----+ ------- ------- ------- ------- +------ -----+ b8eb9db21671c1b 11 | k8s-admin | ------- ------- ------- ------- +------ -----+
+------
| ID | Name |
+------
| e900b8934d11458
+------
not in the default domain
$ openstack user list ------- ------- ------- ------- +------ ----+ ------- ------- ------- ------- +------ ----+ 597496d57e5f4b5 fc | admin | 09e93c3179c9f8a 50 | demo | a8974c794826886 8d | alt_demo | ------- ------- ------- ------- +------ ----+
+------
| ID | Name |
+------
| 3436fc62a232444
| 7413f0a568fb414
| 2dcabd8e53e0424
+------
$ env |grep OS_ openstack API_VERSION= 3 DOMAIN_ NAME=admin_ domain NAME=RegionOne /10.5.1. 174:5000/ v3 DOMAIN_ NAME=admin_ domain PROTOCOL= https TYPE=password NAME=admin
OS_PASSWORD=
OS_IDENTITY_
OS_USER_
OS_REGION_
OS_AUTH_URL=https:/
OS_PROJECT_
OS_AUTH_
OS_USERNAME=admin
OS_AUTH_
OS_PROJECT_