** Also affects: cloud-archive/yoga
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2054799
Title:
Issue with Project administration at Cloud Admin level
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive yoga series:
New
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
We are not able to see the list of users assigned to a project in Horizon.
Scenario:
- Log in as Cloud Admin
- Set Domain Context (k8s)
- Go to projects section
- Click on project Permissions_Roles_Test
- Go to Users
Expectation: Get a table with the users assigned to this project.
Result: Get an error - https://i.imgur.com/TminwUy.png
[Test steps]
1, Create an ordinary openstack test env with horizon.
2, Prepared some test data (eg: one domain k8s, one project k8s, and
one user k8s-admain with the role k8s-admin-role)
openstack domain create k8s
openstack role create k8s-admin-role
openstack project create --domain k8s k8s
openstack user create --project-domain k8s --project k8s --domain k8s
--password password k8s-admin
openstack role add --user k8s-admin --user-domain k8s --project k8s
--project-domain k8s k8s-admin-role
$ openstack role assignment list --project k8s --names
+----------------+---------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System |
Inherited |
+----------------+---------------+-------+---------+--------+--------+-----------+
| k8s-admin-role | k8s-admin@k8s | | k8s@k8s | | | False
|
+----------------+---------------+-------+---------+--------+--------+-----------+
3, Log in horizon dashboard with admin user(eg:
admin/openstack/admin_domain).
4, Click 'Identity -> Domains' to set domain context to the domain
'k8s'.
5, Click 'Identity -> Project -> k8s project -> Users'.
6, This is the result, it said 'Unable to disaply the users of this
project' - https://i.imgur.com/TminwUy.png
7, These are some logs
==> /var/log/apache2/error.log <==
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid
140254008985152] [remote 10.5.3.120:58978] Recoverable error:
'e900b8934d11458b8eb9db21671c1b11'
==> /var/log/apache2/ssl_access.log <==
10.5.3.120 - - [23/Feb/2024:10:03:11 +0000] "GET
/identity/07123041ee0544e0ab32e50dde780afd/detail/?tab=project_details__users
HTTP/1.1" 200 1125
"https://10.5.3.120/identity/07123041ee0544e0ab32e50dde780afd/detail/";
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/119.0.0.0 Safari/537.36"
[Some Analyses]
This action will call this function in horizon [1].
This function will firstly get a list of users (api.keystone.user_list) [2],
then role assignment list (api.keystone.get_project_users_roles) [3].
Without setting domain context, this works fine.
However, if setting domain context, the project displayed is in a different
domain.
The user list from [2] only contains users of the user's own domain, while
the role assignment list [3] includes users in another domain since the project
is in another domain.
From horizon's debug log, here is an example of user list:
{"users": [{"email": "juju@localhost", "id":
"8cd8f92ac2f94149a91488ad66f02382", "name": "admin", "domain_id":
"103a4eb1712f4eb9873240d5a7f66599", "enabled": true, "password_expires_at":
null, "options": {}, "links": {"self":
"https://192.168.1.59:5000/v3/users/8cd8f92ac2f94149a91488ad66f02382"}}],
"links": {"next": null, "self": "https://192.168.1.59:5000/v3/users";,
"previous": null}}
Here is an example of role assignment list:
{"role_assignments": [{"links": {"assignment":
"https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/a70745ed9ac047ad88b917f24df3c873/roles/f606fafcb4fd47018aeffec2b07b7e84"},
"scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user":
{"id": "a70745ed9ac047ad88b917f24df3c873"}, "role": {"id":
"f606fafcb4fd47018aeffec2b07b7e84"}}, {"links": {"assignment":
"https://192.168.1.59:5000/v3/projects/82e250e8492b49a1a05467994d33ea1b/users/fd7a79e2a4044c17873c08daa9ed37a1/roles/b936a9d998be4500900a5a9174b16b42"},
"scope": {"project": {"id": "82e250e8492b49a1a05467994d33ea1b"}}, "user":
{"id": "fd7a79e2a4044c17873c08daa9ed37a1"}, "role": {"id":
"b936a9d998be4500900a5a9174b16b42"}}], "links": {"next": null, "self":
"https://192.168.1.59:5000/v3/role_assignments?scope.project.id=82e250e8492b49a1a05467994d33ea1b&include_subtree=True";,
"previous": null}}
Then later in the horizon function, it tries to get user details from user
list for users in role assignment list [4], and fails,
because users in role assignment list don't exist in user list.
Horizon throws an error like:
[Fri Feb 23 10:03:12.201024 2024] [wsgi:error] [pid 47342:tid
140254008985152] [remote 10.5.3.120:58978] Recoverable error:
'e900b8934d11458b8eb9db21671c1b11'
This id is the id of a user, which is used as a key to find a user in the
user list.
But user list doesn't have this id, so it fails.
[1]
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L85
[2]
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L96
[3]
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L100
[4]
https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/identity/projects/tabs.py#L108
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2054799/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
