Horizon doesn't obtain domain scoped tokens for users coming through websso
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Triaged
|
Medium
|
Unassigned |
Bug Description
We have a Mitaka deployment in which users can login using an external SSO service and the Keystone external authentication protocol and are mapped to a Keytone domain. Domain admin users from that domain can't perform any admin operations in the frontend because Horizon doesn't obtain a domain scoped token.
With external authentication, Keystone tokens always have the user domain present, so this shouldn't be an issue in Horizon.
In my opinion, the bug is in the django_
As a solution, the unscoped Keystone token can be checked for the user domain.
I have attached a patch for the 2.2.1 tag of django_
tags: |
added: keystone removed: dashboard-core |
Changed in horizon: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → next |