OpenStack Dashboard (Horizon)

Adding users from different domain to a group

Bug #1476213 reported by Bajarang Jadhav
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Low
Unassigned
OpenStack Identity (keystone)
Opinion
Wishlist
Unassigned

Bug Description

In Horizon, I found that, users from one domain are not allowed to be part of the group of another domain..

Steps followed:
1. Created 2 domains, domain1 and domain2
2. Created users, user1 in domain1 and user2 in domain2.
3. Created groups, group1 in domain1 and group2 in domain2.
4. In UI, tried to add user1 to group2. While "Add users" is clicked in "Group Management" page of group2, it shows only user2.Have attached the screenshot of the same.
5. Same behavior is observed while adding user2 to group1.

As per the discussion above, users from one domain are allowed to be part of the group of another domain.In CLI, same behavior is observed, however in UI, the behavior is different as mentioned in the above steps.

Can you please let me know if UI is behaving as designed?

Revision history for this message
Bajarang Jadhav (bajarangmca) wrote :
Revision history for this message
Bajarang Jadhav (bajarangmca) wrote :

similar bug I have raised in Keystone

Link https://bugs.launchpad.net/keystone/+bug/1474284

Revision history for this message
Bajarang Jadhav (bajarangmca) wrote :

Any update on this bug??

Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

Cross domain user role assignment would have to be added as well.

Changed in horizon:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Dolph Mathews (dolph) wrote :

Cross-domain user role assignment and cross-domain user group membership used to be supported in Keystone - this bug implies that one or both of those is no longer the case? Which is no longer supported? Does anyone know why such support was removed from keystone? I imagine there would be a negative test in keystone that would explain.

Changed in keystone:
importance: Undecided → Wishlist
status: New → Incomplete
Revision history for this message
Henry Nash (henry-nash) wrote :

Cross-domain role assignment is supported as it always was, no changes. Cross-domain user-group assignment is also support EXCEPT for the case where you are using multiple LDAP identity backends (e.g. each domain is backed by a different LDAP) and the user and group in question are in different LDAPs. The consequences of lifting this restriction would be that listing the membership of a group might involve querying an unlimited number of LDAP servers. I'd want to really understand the user case if we went down that route.

Some have suggested (e.g. ayoung) that we should not be supporting user-group membership across domains at all - this is up for discussion. If we were to make a change here, we'd obviously have to go through a long deprecation cycle.

fengchaoyang (fengchaoyang)
Changed in keystone:
assignee: nobody → fengzhaoyang (fengchaoyang)
fengchaoyang (fengchaoyang)
Changed in keystone:
assignee: fengzhaoyang (fengchaoyang) → nobody
Revision history for this message
Steve Martinelli (stevemar) wrote :

This should have expired ages ago

Changed in keystone:
status: Incomplete → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.