** Description changed: [Impact] - Since Caracal, when using domain-scoped token, keystone only returns - the domain the token is scoped to when listing domains. + Since Caracal, when using domain-scoped token, keystone only returns the + domain the token is scoped to when listing domains. - Since Horizon does some behind-the-scenes swap of token scope when - doing some requests to Keystone, this breaks the Identity->Domains panel - for admins. + Since Horizon does some behind-the-scenes swap of token scope when doing + some requests to Keystone, this breaks the Identity->Domains panel for + admins. - The fix forces the domain_list call to always use the original - auth scope, w/o a swap to the domain-scoped token. - + The fix forces the domain_list call to always use the original auth + scope, w/o a swap to the domain-scoped token. [Test Case] This issue can be easily reproduced by following these steps: 1, Set up an openstack Caracal env with horizon 2, Log in to horizon dashboard as an admin user 3, Navigate to the 'Identity->Domains' panel - You will notice that only the admin user is listed. + You will notice that only the admin user is listed - https://imgur.com/a/e6dbh2v + other domains can be listed after applying the fix - https://imgur.com/a/vLd6Mcr [Where problems could occur] - We are changing the domain_list call to always use the original - auth scope, so any regression issues will be limited to - 'Identity->Domains' panel only. - + We are changing the domain_list call to always use the original auth + scope, so any regression issues will be limited to 'Identity->Domains' + panel only. [Other info] This issue started with Caracal release, and this was fixed upstream by: $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d 25.2.0 25.3.0 25.4.0 $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88 - origin/stable/2024.2 + origin/stable/2024.2 $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88 <empty> $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e 24.0.1 - For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1), - Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), - backporting is still required for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) - and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3) + For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1), + Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), backporting is still required + for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) and noble(ubuntu 24.04, + 4:24.0.0-0ubuntu1.3) - For UCA, the fix is already in flamingo(2025.2, 4:25.3.0-0ubuntu1~cloud0), - eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0), - backporting is still required for: dalmatian(2024.2, 4:25.1.0-0ubuntu1.1~cloud0) - and caracal(2024.1 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to - inclusion in UA. + For UCA, the fix is already in flamingo(2025.2, + 4:25.3.0-0ubuntu1~cloud0), eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0), + backporting is still required for: dalmatian(2024.2, + 4:25.1.0-0ubuntu1.1~cloud0) and caracal(2024.1 + 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to inclusion in + UA. == ORIGINAL DESCRIPTION == Starting with Caracal release, Identity Domains Panel is broken, as it only ever lists that domain that the user belongs to. Devstack/Master, logged as admin (devstack-admin creds in /etc/openstack/clouds.yaml). With default Horizon settings, I only ever see Default domain, even if I manually create some more. And I do not have an option to create domains from UI as well. This is because AFAIU the ability to create domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which is waaay legacy IMO. This option is quite overloaded in Horizon code, but that's a different question. When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my local_settings.py, I can create domains from UI, but I still can not see any other domain other than the domain of the user. I tracked it to this piece of code that replaces the scope to the domain one for admins https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 , plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067075 Title: [SRU] Horizon Identity Domain Panel is broken in Caracal+ To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/2067075/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
