** Description changed: + [Impact] + + Since Caracal, when using domain-scoped token, keystone only returns + the domain the token is scoped to when listing domains. + + Since Horizon does some behind-the-scenes swap of token scope when + doing some requests to Keystone, this breaks the Identity->Domains panel + for admins. + + The fix forces the domain_list call to always use the original + auth scope, w/o a swap to the domain-scoped token. + + + [Test Case] + + This issue can be easily reproduced by following these steps: + + 1, Set up an openstack Caracal env with horizon + 2, Log in to horizon dashboard as an admin user + 3, Navigate to the 'Identity->Domains' panel + + You will notice that only the admin user is listed. + + [Where problems could occur] + + We are changing the domain_list call to always use the original + auth scope, so any regression issues will be limited to + 'Identity->Domains' panel only. + + + [Other info] + + This issue started with Caracal release, and this was fixed upstream by: + + $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d + 25.2.0 + 25.3.0 + 25.4.0 + $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88 + origin/stable/2024.2 + $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88 + <empty> + $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e + 24.0.1 + + For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1), + Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), + backporting is still required for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) + and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3) + + For UCA, the fix is already in flamingo(2025.2, 4:25.3.0-0ubuntu1~cloud0), + eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0), + backporting is still required for: dalmatian(2024.2, 4:25.1.0-0ubuntu1.1~cloud0) + and caracal(2024.1 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to + inclusion in UA. + + == ORIGINAL DESCRIPTION == + Starting with Caracal release, Identity Domains Panel is broken, as it only ever lists that domain that the user belongs to. Devstack/Master, logged as admin (devstack-admin creds in /etc/openstack/clouds.yaml). With default Horizon settings, I only ever see Default domain, even if I manually create some more. And I do not have an option to create domains from UI as well. This is because AFAIU the ability to create domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which is waaay legacy IMO. This option is quite overloaded in Horizon code, but that's a different question. When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my local_settings.py, I can create domains from UI, but I still can not see any other domain other than the domain of the user. I tracked it to this piece of code that replaces the scope to the domain one for admins https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 , plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.
** Summary changed: - Horizon Identity Domain Panel is broken in Caracal+ + [SRU] Horizon Identity Domain Panel is broken in Caracal+ ** Tags added: sts ** Patch added: "oracular.debdiff" https://bugs.launchpad.net/cloud-archive/epoxy/+bug/2067075/+attachment/5884258/+files/oracular.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067075 Title: [SRU] Horizon Identity Domain Panel is broken in Caracal+ To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/2067075/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
