Description of problem: AFAIU, Horizon have two modes (models) to support Keystone v3 multi-domain environments: - Single-domain (OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False) - Multi-domain (OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True) With single-domain model it is: - POSSIBLE to list all users and projects in all domains. - IMPOSSIBLE to create users and projects in non-Default domain. - IMPOSSIBLE to switch to projects in non-default domain. - IMPOSSIBLE to login using credentials from non-default domain. With multi-domain model it is possible to explicitly specify domain to login, but all domains are separated: admins from Default domain can't list users from other domains (which is allowed by keystone). As a result, we have a situation when Horizon doesn't allow admins to properly use their rights. And I would like to use this bug to request the developer's point of view about this issue, so I could explain Red Hat's position to a customer and probably open an RFE for future releases.
I'm not really familiar with multi-domain support enough to comment on this, however, I will take this up for discussion on the upstream team meeting.
Admins from Default domain can still list users from other domains, if they have the rights to do so, by first selecting the domain scope in he Domains view.
Does that help? Can we close it?
Hi Radomir, sorry but we are unable to find that domain scope or domain view, coud you send more specific instructions please?
Hi Radomir, I was mistaken, problem solved, thanks for the help.
We can close the case
Hi Radomir. We shouldn't actually close this case. It looks like there is a small bug in Horizon that I was able to solve with a workaround. Please find the details below. Official guide [1] propose the following configuration change to "/etc/openstack-dashboard/local_settings" file to enable multi-domain Horizon view: OPENSTACK_API_VERSIONS = { "identity": 3 } OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' This change will cause the behaviour I have originally reported: it is impossible to list projects and users in other domains. For some reason, it is possible to fix this problem by commenting last line (OPENSTACK_KEYSTONE_DEFAULT_DOMAIN) definition. After it is commented, we can list users and projects from other domains. This issue looks like both horizon and documentation bugs: - it is horizon bug because "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN" parameter description [2] state that it should change only single-domain model behaviour. But it also introduces unpredictable change to multi-domain model. - it is documentation bug, because there is no point to set this parameter for multi-domain model The support case was closed because we successfully fixed the issue by commenting out "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN". But the bugs should be addressed somehow. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/integrate_with_identity_service/sec-idm#configure_the_controller_2 [2] https://docs.openstack.org/newton/config-reference/dashboard/config-options.html BR, Alex.
I'm closing this, since the customer's problem is solved. If you have found any additional bugs, please feel free to report them in separate issues, with separate priority, tracking, etc.