Reviewed: https://review.opendev.org/c/openstack/horizon/+/920395 Committed: https://opendev.org/openstack/horizon/commit/964623e16baaf8d2902e6000b2cec62bea14d15d Submitter: "Zuul (22348)" Branch: master
commit 964623e16baaf8d2902e6000b2cec62bea14d15d Author: Pavlo Shchelokovskyy <[email protected]> Date: Fri May 24 13:57:17 2024 +0000 Force scope when listing domains since Caracal, when using domain-scoped token, keystone only returns the domain the token is scoped to when listing domains [0]. Since Horizon does some behind-the-scenes swap of token scope when doing some requests to Keystone, this breaks the Identity->Domains panel for admins. This patch forces the domain_list call to always use the original auth scope, w/o a swap to the domain-scoped token. [0] https://review.opendev.org/c/openstack/keystone/+/900028 Closes-Bug: #2067075 Change-Id: I4ff5f2de01c0bb13cfbb5136f40afe8187135686 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/2067075 Title: Horizon Identity Domain Panel is broken in Caracal+ Status in OpenStack Dashboard (Horizon): Fix Released Bug description: Starting with Caracal release, Identity Domains Panel is broken, as it only ever lists that domain that the user belongs to. Devstack/Master, logged as admin (devstack-admin creds in /etc/openstack/clouds.yaml). With default Horizon settings, I only ever see Default domain, even if I manually create some more. And I do not have an option to create domains from UI as well. This is because AFAIU the ability to create domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which is waaay legacy IMO. This option is quite overloaded in Horizon code, but that's a different question. When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my local_settings.py, I can create domains from UI, but I still can not see any other domain other than the domain of the user. I tracked it to this piece of code that replaces the scope to the domain one for admins https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 , plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/2067075/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
