Public bug reported: Patch of 'https://review.openstack.org/#/c/263911/' add specifying region at the horizon login step.
It assume region for other resources is same as login region. But keystone identity endpoint can be used globally. For example, ``` (openstack) root@r2control0:/vagrant/utils# openstack endpoint list --service keystone +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ | 10c1b95b2bd64ffba7dcafc8d2ac9858 | devel-r2 | keystone | identity | True | internal | https://devel-api.9rum.cc:5000/v3 | | 5dbc177b7c4644dea1f0f08255e383e3 | kfield-devel | keystone | identity | True | internal | https://devel-api.9rum.cc:5000/v3 | | 7e65f96540634503a9b3fcebbdbf42d8 | devel-r2 | keystone | identity | True | admin | https://devel-api.9rum.cc:35357/v3 | | ba9f88fde4b143a791791454b72c229d | devel-r2 | keystone | identity | True | public | https://devel-api.9rum.cc:5000/v3 | | c9cf3f1f28144b73bf3e161644b269ae | kfield-devel | keystone | identity | True | admin | https://devel-api.9rum.cc:35357/v3 | | dc55bd5100374540b39cb4ccbef7f2ab | kfield-devel | keystone | identity | True | public | https://devel-api.9rum.cc:5000/v3 | +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ ``` in this case, if 'kfield-devel' region is returned for service_regions, other resources(projects..) are no longer accessible since user does not have 'devel-r2' region at all. At the login time, user only have 'kfield-devel' so unauthorized permission error blocks further progress. So, I think providing 'OPENSTACK_ENDPOINT_REGION' for specify login region, operator can specify a region for identity service which is also available to access other resources. Thanks ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1814043 Title: [RFE] Add 'OPENSTACK_ENDPOINT_REGION' env in openstack_auth Status in OpenStack Dashboard (Horizon): New Bug description: Patch of 'https://review.openstack.org/#/c/263911/' add specifying region at the horizon login step. It assume region for other resources is same as login region. But keystone identity endpoint can be used globally. For example, ``` (openstack) root@r2control0:/vagrant/utils# openstack endpoint list --service keystone +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ | 10c1b95b2bd64ffba7dcafc8d2ac9858 | devel-r2 | keystone | identity | True | internal | https://devel-api.9rum.cc:5000/v3 | | 5dbc177b7c4644dea1f0f08255e383e3 | kfield-devel | keystone | identity | True | internal | https://devel-api.9rum.cc:5000/v3 | | 7e65f96540634503a9b3fcebbdbf42d8 | devel-r2 | keystone | identity | True | admin | https://devel-api.9rum.cc:35357/v3 | | ba9f88fde4b143a791791454b72c229d | devel-r2 | keystone | identity | True | public | https://devel-api.9rum.cc:5000/v3 | | c9cf3f1f28144b73bf3e161644b269ae | kfield-devel | keystone | identity | True | admin | https://devel-api.9rum.cc:35357/v3 | | dc55bd5100374540b39cb4ccbef7f2ab | kfield-devel | keystone | identity | True | public | https://devel-api.9rum.cc:5000/v3 | +----------------------------------+--------------+--------------+--------------+---------+-----------+------------------------------------+ ``` in this case, if 'kfield-devel' region is returned for service_regions, other resources(projects..) are no longer accessible since user does not have 'devel-r2' region at all. At the login time, user only have 'kfield-devel' so unauthorized permission error blocks further progress. So, I think providing 'OPENSTACK_ENDPOINT_REGION' for specify login region, operator can specify a region for identity service which is also available to access other resources. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1814043/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
