OpenStack Dashboard (Horizon)

Horizon doesn't obtain domain scoped tokens for users coming through websso

Bug #1655560 reported by Radu Pasea on 2017-01-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Triaged	Medium	Unassigned	OpenStack Dashboard (Horizon) next

Bug Description

We have a Mitaka deployment in which users can login using an external SSO service and the Keystone external authentication protocol and are mapped to a Keytone domain. Domain admin users from that domain can't perform any admin operations in the frontend because Horizon doesn't obtain a domain scoped token.

With external authentication, Keystone tokens always have the user domain present, so this shouldn't be an issue in Horizon.

In my opinion, the bug is in the django_openstack_auth project. Here, on the websso path, I think the user domain is expected to be provided by the user in the login page, which, of course, isn't possible for websso.

As a solution, the unscoped Keystone token can be checked for the user domain.

I have attached a patch for the 2.2.1 tag of django_openstack_auth. Seeing code here hasn't been modified in a long time, the bug should manifest itself in the newest version of Horizon.

See original description

Tags:

Revision history for this message

Radu Pasea (rpasea) wrote on 2017-01-11:

Patch django_openstack_auth tag 2.2.1 Edit (1.7 KiB, text/plain)

description:

updated

Gary W. Smith (gary-w-smith) on 2017-10-19

tags:	added: keystone removed: dashboard-core
Changed in horizon:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → next

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Patch django_openstack_auth tag 2.2.1 Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.