1359509 – Editing quota from a project in Horizon is removing users from the project

Bug 1359509 - Editing quota from a project in Horizon is removing users from the project

Summary: Editing quota from a project in Horizon is removing users from the project

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon
Sub Component:
Version:	8.0 (Liberty)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	async
Target Release:	8.0 (Liberty)
Assignee:	Radomir Dopieralski
QA Contact:	Ido Ovadia
Docs Contact:
URL:
Whiteboard:
Depends On:	1287586
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-24 13:06 UTC by Martin Schuppert
Modified:	2020-06-11 12:55 UTC (History)
CC List:	9 users (show)
Fixed In Version:	python-django-horizon-8.0.1-5.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-31 18:35:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2460951	0	None	None	None	2016-07-24 13:29:08 UTC
Red Hat Product Errata	RHBA-2016:1795	0	normal	SHIPPED_LIVE	python-django-horizon bug fix advisory	2016-08-31 22:35:29 UTC

Description Martin Schuppert 2016-07-24 13:06:05 UTC

Description of problem:

While editing quota from a project in Horizon , this action is removing users from the project.

We are using Keystone v3 with multi domains setup.

I create a project in "Default" Keystone domain:

keystone]# openstack project create test
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | ceae5812586c4d7e915199c6dd5f4868 |
| is_domain   | False                            |
| name        | test                             |
| parent_id   | None                             |
+-------------+----------------------------------+

I add a user from a *different* domain (TESTDOM, an LDAP domain) like this:
keystone]# openstack role add --project test --user-domain TESTDOM --user domuser2 _member_

I verify the user is properly located in the project:
keystone]# openstack user list --project test
+------------------------------------------------------------------+-----------+
| ID                                                               | Name      |
+------------------------------------------------------------------+-----------+
| 13e3a99ae7410be0e41167d3d6fae7dea1b6d0c99362507c5c3b8c26a7b3bc1f | domuser1  |
| e9adb93931a3356afbb817f9c2a17046d1ac9127f1112f9751fdb09efe5046fb | domuser2  |
+------------------------------------------------------------------+-----------+

At this point the user can connect to Horizon with the TESTDOM domain and it's LDAP credential and do actions in OpenStack.

Then I log in the Horizon dashboard by using my account (which is admin) ldap credential and TESTDOM domain.
I go in identity -> Projects -> on test project I do "Edit quota" -> I modify the number of instance from 10 to 15 -> update.

At this point Horizon *removed* all the  users not belonging to the Default domain and that were assigned to this tenant!

keystone]# openstack user list --project test

keystone]#


Version-Release number of selected component (if applicable):
* OSP8
* python-django-horizon-8.0.1-2.el7ost.noarch
* openstack-dashboard-8.0.1-2.el7ost.noarch
* openstack-dashboard-theme-8.0.1-2.el7ost.noarch

How reproducible:
always

Steps to Reproduce:
1) # openstack project create redhatdebug

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 9abb68e68ab8489096005004e38e1001 |
| is_domain   | False                            |
| name        | redhatdebug                      |
| parent_id   | None                             |
+-------------+----------------------------------+
2) # openstack role add --project redhatdebug --user-domain TESTDOM --user user1 _member_

3) # openstack user list --project redhatdebug
+------------------------------------------------------------------+----------+
| ID                                                               | Name     |
+------------------------------------------------------------------+----------+
| e9adb93931a3356afbb817f9c2a17046d1ac9127f1112f9751fdb09efe5046fb | user1    |
+------------------------------------------------------------------+----------+

4) modify quota using horizon

5) # openstack user list --project redhatdebug

---> No more LDAP user in the project

Actual results:
No more LDAP user in the project

Expected results:
LDAP users stay in the project

Additional info:
[1] introduced a change in _update_project_members to not remove roles for users who have roles on the project but aren't in the domain:

+            # TODO(bpokorny): The following lines are needed to make sure we
+            # only modify roles for users who are in the current domain.
+            # Otherwise, we'll end up removing roles for users who have roles
+            # on the project but aren't in the domain.  For now, Horizon won't
+            # support managing roles across domains.  The Keystone CLI
+            # supports it, so we may want to add that in the future.
+            all_users = api.keystone.user_list(request,
+                                               domain=data['domain_id'])
+            users_dict = {user.id: user.name for user in all_users}
+
             for user_id in users_roles.keys():
+                # Don't remove roles if the user isn't in the domain
+                if user_id not in users_dict:
+                    users_to_modify -= 1
+                    continue
+

[1] https://github.com/openstack/horizon/commit/2b846515f388278e2bf8d0198a4f821309e08e69#diff-58479fd50b8eddb273d41ad9c15dafa4R738

Comment 1 Martin Schuppert 2016-07-24 13:19:15 UTC

After performing the change mentioned in the description and it is possible to edit the tenant, modify quota, assign / remove users from the default domain to the project without any issue.

Comment 10 Udi Kalifon 2016-08-25 13:16:38 UTC

Hi Martin. The scenario you describe in the bug is impossible to do when using a "real" policy file which is domain-aware. When using, for example, the policy file from https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json - we were blocked from assigning a role to the user from a foreign domain on a project in the default domain.

When using the default policy file, which basically allows you to do almost anything, the scenario is possible but we can't be sure what the right behaviour is supposed to be. Which policy file was used for this bug? If it was the default policy file, may we close this bug?

Comment 11 Ido Ovadia 2016-08-25 14:15:02 UTC

In addition, 

I think this scenario https://bugzilla.redhat.com/show_bug.cgi?id=1359509#c0
cannot be tested on RHOS 8 because it requires support domain scoped tokens in horizon https://bugzilla.redhat.com/show_bug.cgi?id=1287586 
which it target released to RHOS 10

Comment 12 Irina Petrova 2016-08-25 14:19:58 UTC

(In reply to Ido Ovadia from comment #11)
> In addition, 
> 
> I think this scenario https://bugzilla.redhat.com/show_bug.cgi?id=1359509#c0
> cannot be tested on RHOS 8 because it requires support domain scoped tokens
> in horizon https://bugzilla.redhat.com/show_bug.cgi?id=1287586 
> which it target released to RHOS 10

Ido, just a small clarification:

Actually, the code is there in RHOS 9. Please check out the latest BZ 1287586 comments. But as far as I am aware, it's still a no-go for RHOS 8. JFYI.

Comment 13 Martin Schuppert 2016-08-25 14:40:48 UTC

(In reply to Udi from comment #10)

Hi Udi, Ido

> When using the default policy file, which basically allows you to do almost
> anything, the scenario is possible but we can't be sure what the right
> behaviour is supposed to be. Which policy file was used for this bug? If it
> was the default policy file, may we close this bug?

Probably the default policy file, as documentation in [1] was used. 

[1] https://access.redhat.com/documentation/en/red-hat-openstack-platform/version-8/integrate-with-identity-service/#enable_command_line_access_to_keystone_v3

Comment 16 Ido Ovadia 2016-08-28 13:16:48 UTC

(In reply to Martin Schuppert from comment #14)
> Yes, we got confirmation from Matthias and Radomir that domain scoped tokens
> are not supported in horizon before Mitaka. I am also not sure if we want to
> deliver the backported change as there were concerns that we hit issues in
> other parts of horizon. The recommendation was to disable the identity tab
> until OSP9 which has scoped domains implemented.
> 
> @ Radomir, do we want to ship the backport you did initially?


Verified
========
python-django-horizon-8.0.1-6.el7ost.noarch

Verified partially as described on comment #8

Comment 18 errata-xmlrpc 2016-08-31 18:35:37 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1795.html

Note You need to log in before you can comment on or make changes to this bug.