OpenStack Dashboard (Horizon)

Horizon Identity Domain Panel is broken in Caracal+

Bug #2067075 reported by Pavlo Shchelokovskyy on 2024-05-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	In Progress	Undecided	Unassigned

Bug Description

Starting with Caracal release, Identity Domains Panel is broken, as it only ever lists that domain that the user belongs to.

Devstack/Master, logged as admin (devstack-admin creds in /etc/openstack/clouds.yaml).

With default Horizon settings, I only ever see Default domain, even if I manually create some more. And I do not have an option to create domains from UI as well. This is because AFAIU the ability to create domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which is waaay legacy IMO. This option is quite overloaded in Horizon code, but that's a different question.

When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my local_settings.py, I can create domains from UI, but I still can not see any other domain other than the domain of the user.

I tracked it to this piece of code that replaces the scope to the domain one for admins
https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

Pavlo Shchelokovskyy (pshchelo) on 2024-05-24

summary:

- Horizon Identity Domain Panel is broken with new Keystone policies
+ Horizon Identity Domain Panel is broken in Caracal+

OpenStack Infra (hudson-openstack) on 2024-05-24

Changed in horizon:
status:	New → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.