Bug 1648838
| Summary: | [RHOSP 10] Horizon multi-domain model doesn't allow admin user in Default domain to list/change users in other domains | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Alex Stupnikov <astupnik> |
| Component: | python-django-horizon | Assignee: | Radomir Dopieralski <rdopiera> |
| Status: | CLOSED NOTABUG | QA Contact: | Beth White <beth.white> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 10.0 (Newton) | CC: | astupnik, athomas, jose.lema, jrist, mrunge, rdopiera |
| Target Milestone: | --- | Keywords: | Reopened, Triaged, ZStream |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-04-23 14:13:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Alex Stupnikov
2018-11-12 09:21:09 UTC
I'm not really familiar with multi-domain support enough to comment on this, however, I will take this up for discussion on the upstream team meeting. Admins from Default domain can still list users from other domains, if they have the rights to do so, by first selecting the domain scope in he Domains view. Does that help? Can we close it? Hi Radomir, sorry but we are unable to find that domain scope or domain view, coud you send more specific instructions please? Hi Radomir, I was mistaken, problem solved, thanks for the help. We can close the case Hi Radomir.
We shouldn't actually close this case. It looks like there is a small bug in Horizon that I was able to solve with a workaround. Please find the details below.
Official guide [1] propose the following configuration change to "/etc/openstack-dashboard/local_settings" file to enable multi-domain Horizon view:
OPENSTACK_API_VERSIONS = {
"identity": 3
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
This change will cause the behaviour I have originally reported: it is impossible to list projects and users in other domains. For some reason, it is possible to fix this problem by commenting last line (OPENSTACK_KEYSTONE_DEFAULT_DOMAIN) definition. After it is commented, we can list users and projects from other domains.
This issue looks like both horizon and documentation bugs:
- it is horizon bug because "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN" parameter description [2] state that it should change only single-domain model behaviour. But it also introduces unpredictable change to multi-domain model.
- it is documentation bug, because there is no point to set this parameter for multi-domain model
The support case was closed because we successfully fixed the issue by commenting out "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN". But the bugs should be addressed somehow.
[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/integrate_with_identity_service/sec-idm#configure_the_controller_2
[2] https://docs.openstack.org/newton/config-reference/dashboard/config-options.html
BR, Alex.
I'm closing this, since the customer's problem is solved. If you have found any additional bugs, please feel free to report them in separate issues, with separate priority, tracking, etc. |