Bug 1278144
Summary: | [Docs] [Networking] Need to document how to use the "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN" domain esp with LDAP usage | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Ruchika K <rkharwar> |
Component: | documentation | Assignee: | Martin Lopes <mlopes> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | RHOS Documentation Team <rhos-docs> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 9.0 (Mitaka) | CC: | adahms, athomas, josorior, mlopes, mrunge, srevivo |
Target Milestone: | --- | Keywords: | Documentation, Triaged |
Target Release: | 9.0 (Mitaka) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-13 10:11:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ruchika K
2015-11-04 18:27:26 UTC
Testing this behavior in the lab environment. Hi Matthias, Could you comment on whether dashboard currently has the capability to perform the use case in the bug description? That value is used to provide a default domain for using authentication. Fun fact is, it's not used in horizon other than in docs, it is referenced in django-openstack-auth just for login purpose. Martin, the linked review source is not merged yet. I would expect that to change much in horizon. Hi Matthias, Does the reference in django-openstack-auth mean that users can configure a default login domain in horizon? For example, if they enter the value "LAB", will that mean users won't have to type that same value at the dashboard login page? I should mention that I've tested this and haven't been able to get it working, so I'm wondering that is really the intent of this feature. Martin, that is, how I understand it, yes. If it's not working that way, it might be either a bug in our downstream theme, in django-openstack-auth or the delivered django-openstack-auth package. I think, there has been an upstream bug, which made it not remembering the default domain. Horizon does not need to have any clue, if keystone uses ldap, mysql or whatever. Hi Matthias, It looks like upstream devs do not want to expose a default domain name in the login page (perhaps for security reasons?): https://bugs.launchpad.net/django-openstack-auth/+bug/1523957 This update attempts to strike a compromise by pre-filling the value in the browser (from cookie), if the user has previously entered one. Would you agree that I've interpreted this correctly? May take from the linked bug is: - pre-filling the domain field with default values is considered as a security risk - it would be ok to read it from the user cookie, like in the newly implemented feature in Django-openstack-auth. The code is merged in mitaka cycle, which is probably going to be OSP-9. In general, features are not being backported. Moving to 'NEW' while assigned to the default assignee. Looks like this is enabled by default: https://opendev.org/openstack/django_openstack_auth/commit/ce52637f61fb28c6efcb7f52b0043ee41a9cd05c The implementation would be self-evident to the user and probably does not need to be called out in docs. Let me know if there's something specific that should be mentioned here. |