Created attachment 1187026 [details] keystone v3 and multi-backend Hi, We are currently running OSP 8.0 in combination with keystone v3. This was configured according to the (internal?) RH document DO-1063276.pdf (Keystone v3 and multi-backends, OSP-D hackfest use-case) The horizon dashboard has been configured to function correctly with Keystone v3 (page 9 of document in attach) Keystone v3 itself is working correctly. We are able to list users/group through cli/api if we set the domain context (openstack user list --domain default|openstack group list --domain default) It seems that keystone expects a domain value and horizon is not passing anything through 1)Reproduce the bug: a)login to horizon with admin and domain default b)press the identity link c)press the link users or groups (in this example groups) 2)Result: a) admin user is being logged out b) redirect to login page c) Webserver returns following HTTP headers Host: xxxx.bel.be User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://xxxxbel.be/dashboard/auth/login/?next=/dashboard/identity/groups/ Cookie: csrftoken=OP7BCTXxhdXS8jC3mJx3GH3S0lbVn6go; login_region="http://10.242.3.10:5000/v2.0"; recent_project=4a31d33a690448fb82990b7d9d6ea911; token=0a3745e8-126c-4483-93f2-866b25d0d313; SERVERID=overcloud-controller-2; logout_reason="Unauthorized. Please try logging in again." Connection: keep-alive d)this unauthorized error is similar to the error you have if run "openstack user list"(without --domain!) in combination with keystone v3 3)Expected result Avoid any forced logouts in the dashboard. This confuses novice users/operators. 4)Possible solutions: a) completly disable option list users/groups without setting a domain context first in Horizon b) provide a meaningfull error with a reference to the limitations of horizon in combination with keystone v3
This is being worked on as bug #1360940. It will be backported when ready.
I did a little bit of research, and it turns out that mutlidomain support is only officially supported in Horizon starting with OSP9.
Hello guys, I have another customer hitting this issue with user/group listing in horizon. Would it be possible to know if backporting 2b846515f388278e2bf8d0198a4f821309e08e69 to liberty would change this issue? Thank you very much, David Hill
It won't help, because you are likely to hit another issue. We are not going to backport the whole multidomain support to osp8, so to use it, you need to use at least osp9.
Hello sir, Would it be possible to fix this issue for the customer ? This has a direct impact on their user experience as they're getting kicked out of the dashboard without a meaningful error message. Also, if this is not supported, then the RHOSP documentation should be updated letting people know it is not supported prior RHOSP 9 and that they need up upgrade to RHOSP 9. Thank you very much, David Hill
There is no way we can backport the whole support for multiple domains from osp9 to osp8. You will keep hitting issues, even if we fix this particular one, there will be more, even more serious ones. The support for multiple domains simply wasn't finished yet in osp8, it's available in osp9. That document you used for your setup was released in error, and has been since retracted.