OpenStack Dashboard (Horizon)

Federated user cannot select domain for project creation

Bug #1451659 reported by Steve Martinelli
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Medium
Unassigned

Bug Description

When using identity v3 federation through websso, it appears that the project creation is a bit different.
When attempting to create a new project, the new projects domain name and ID are greyed out, I suspect this was intended to restrict users to only creating projects in their own domain.

There are possibly two issues here:
  - If the user has admin credentials then project creation this shouldn't be limited to that domain.
  - If the user is a 'federated' user, then the don't have a domain, and won't be able to create a project. (Maybe this is a good thing).

Tags: keystone
Revision history for this message
Steve Martinelli (stevemar) wrote :
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

The domain ID and Name are always greyed out.

Typical workflow for an admin who wants to create a project:
1. They go to the Domain panel, select the Domain they want to work on. And click on "Set Domain Context".
2. Data in Projects, Users and Groups panel are all scoped to the selected Domain.
3. When the admin creates a Project, it will be scoped to the selected Domain.

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

The domain is populated using the user's domain: https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L232

Since the federated user does not have any domain, it is expected that the domain field will be greyed out.

A possible solution would be, add a condition to check if the user is federated, if yes use the domain from the scoped project instead of the user domain.

Changed in horizon:
status: New → Confirmed
Revision history for this message
Sean Carlisle (sean-carlisle) wrote :

Currently in Mitaka for a federated user, the Keystone v3 API does allow for domain-specific CRUD, such as creating projects, when a user has the admin role. The general workflow is as follows:

* An admin user authenticates to their federation endpoint and receives an unscoped token.
* For domain-specific tasks, the user then requests a domain-scoped token and then uses the token to perform any CRUD on the scoped domain.
* For project-specific tasks, the user then requests a project-scoped token and then uses the token to perform any CRUD on the scoped project.

A good write up on the process can be found here under "Performing Federation authentication": http://docs.openstack.org/developer/keystone/federation/federated_identity.html

My point being that it seems Horizon should still be aware of domain-scoping even with federated users.

Revision history for this message
David Lyle (david-lyle) wrote :

This should be handled by setting the domain context, is it not?

Gary W. Smith (gary-w-smith)
summary: - cannot change domain for project creation
+ Federated user cannot select domain for project creation
tags: added: keystone
Ivan Kolodyazhny (e0ne)
Changed in horizon:
importance: Undecided → High
importance: High → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.