Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1363699

Summary: Forced Horizon logout while trying to list users/groups in identity (no domain context being set)
Product: Red Hat OpenStack Reporter: leendert.deprez
Component: python-django-horizonAssignee: Radomir Dopieralski <rdopiera>
Status: CLOSED NOTABUG QA Contact: Ido Ovadia <iovadia>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0 (Liberty)CC: aortega, apannu, athomas, dhill, jrist, mrunge, rdopiera, srevivo
Target Milestone: ---Keywords: Reopened, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-10 17:35:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1287586    
Bug Blocks:    
Attachments:
Description Flags
keystone v3 and multi-backend none

Description leendert.deprez 2016-08-03 11:53:15 UTC 
Created attachment 1187026 [details]
keystone v3 and multi-backend

Hi,

We are currently running OSP 8.0 in combination with keystone v3.
This was configured according to the (internal?) RH document DO-1063276.pdf (Keystone v3 and multi-backends, OSP-D hackfest use-case)
The horizon dashboard has been configured to function correctly with Keystone v3 (page 9 of document in attach)

Keystone v3 itself is working correctly. We are able to list users/group through cli/api if we set the domain context
(openstack user list --domain default|openstack group list --domain default)

It seems that keystone expects a domain value and horizon is not passing anything through

1)Reproduce the bug:

a)login to horizon with admin and domain default
b)press the identity link
c)press the link users or groups (in this example groups)

2)Result:
a) admin user is being logged out 
b) redirect to login page
c) Webserver returns following HTTP headers

Host: xxxx.bel.be
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xxxxbel.be/dashboard/auth/login/?next=/dashboard/identity/groups/
Cookie: csrftoken=OP7BCTXxhdXS8jC3mJx3GH3S0lbVn6go; login_region="http://10.242.3.10:5000/v2.0"; recent_project=4a31d33a690448fb82990b7d9d6ea911; token=0a3745e8-126c-4483-93f2-866b25d0d313; SERVERID=overcloud-controller-2; logout_reason="Unauthorized. Please try logging in again."
Connection: keep-alive

d)this unauthorized error is similar to the error you have if run "openstack user list"(without --domain!) in combination with keystone v3

3)Expected result

Avoid any forced logouts in the dashboard. This confuses novice users/operators. 

4)Possible solutions:

a) completly disable option list users/groups without setting a domain context first in Horizon
b) provide a meaningfull error with a reference to the limitations of horizon in combination with keystone v3
Comment 2 Radomir Dopieralski 2016-08-25 14:33:43 UTC 
This is being worked on as bug #1360940. It will be backported when ready.
Comment 3 Radomir Dopieralski 2016-08-26 07:28:42 UTC 
I did a little bit of research, and it turns out that mutlidomain support is only officially supported in Horizon starting with OSP9.
Comment 4 David Hill 2016-10-25 20:38:34 UTC 
Hello guys,

   I have another customer hitting this issue with user/group listing in horizon.   Would it be possible to know if backporting 2b846515f388278e2bf8d0198a4f821309e08e69 to liberty would change this issue?

Thank you very much,

David Hill
Comment 5 Radomir Dopieralski 2016-11-07 14:20:36 UTC 
It won't help, because you are likely to hit another issue. We are not going to backport the whole multidomain support to osp8, so to use it, you need to use at least osp9.
Comment 6 David Hill 2016-11-07 16:09:55 UTC 
Hello sir,

   Would it be possible to fix this issue for the customer ?   This has a direct impact on their user experience as they're getting kicked out of the dashboard without a meaningful error message.   Also, if this is not supported, then the RHOSP documentation should be updated letting people know it is not supported prior RHOSP 9 and that they need up upgrade to RHOSP 9.

Thank you very much,

David Hill
Comment 7 Radomir Dopieralski 2016-11-10 14:47:15 UTC 
There is no way we can backport the whole support for multiple domains from osp9 to osp8. You will keep hitting issues, even if we fix this particular one, there will be more, even more serious ones. The support for multiple domains simply wasn't finished yet in osp8, it's available in osp9. That document you used for your setup was released in error, and has been since retracted.