[Bug 2067075] Re: Horizon Identity Domain Panel is broken in Caracal+

Hua Zhang 2067075 at bugs.launchpad.net
Tue Jun 17 05:40:15 UTC 2025 

** Description changed:

+ [Impact]
+ 
+ Since Caracal, when using domain-scoped token, keystone only returns
+ the domain the token is scoped to when listing domains.
+ 
+ Since Horizon does some behind-the-scenes swap of token scope when
+ doing some requests to Keystone, this breaks the Identity->Domains panel
+ for admins.
+ 
+ The fix forces the domain_list call to always use the original
+ auth scope, w/o a swap to the domain-scoped token.
+ 
+ 
+ [Test Case]
+ 
+ This issue can be easily reproduced by following these steps:
+ 
+ 1, Set up an openstack Caracal env with horizon
+ 2, Log in to horizon dashboard as an admin user
+ 3, Navigate to the 'Identity->Domains' panel
+ 
+ You will notice that only the admin user is listed.
+ 
+ [Where problems could occur]
+ 
+ We are changing the domain_list call to always use the original
+ auth scope, so any regression issues will be limited to
+ 'Identity->Domains' panel only.
+ 
+ 
+ [Other info]
+ 
+ This issue started with Caracal release, and this was fixed upstream by:
+ 
+ $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d
+ 25.2.0
+ 25.3.0
+ 25.4.0
+ $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
+   origin/stable/2024.2
+ $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
+ <empty>
+ $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e
+ 24.0.1
+ 
+ For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1), 
+ Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), 
+ backporting is still required for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) 
+ and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3)
+ 
+ For UCA, the fix is already in flamingo(2025.2, 4:25.3.0-0ubuntu1~cloud0), 
+ eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0), 
+ backporting is still required for: dalmatian(2024.2, 4:25.1.0-0ubuntu1.1~cloud0)
+  and caracal(2024.1 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to 
+ inclusion in UA.
+ 
+ == ORIGINAL DESCRIPTION ==
+ 
  Starting with Caracal release, Identity Domains Panel is broken, as it
  only ever lists that domain that the user belongs to.
  
  Devstack/Master, logged as admin (devstack-admin creds in
  /etc/openstack/clouds.yaml).
  
  With default Horizon settings, I only ever see Default domain, even if I
  manually create some more. And I do not have an option to create domains
  from UI as well. This is because AFAIU the ability to create domains is
  tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which
  is waaay legacy IMO. This option is quite overloaded in Horizon code,
  but that's a different question.
  
  When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
  local_settings.py, I can create domains from UI, but I still can not see
  any other domain other than the domain of the user.
  
  I tracked it to this piece of code that replaces the scope to the domain one for admins
  https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
  plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

** Summary changed:

- Horizon Identity Domain Panel is broken in Caracal+
+ [SRU] Horizon Identity Domain Panel is broken in Caracal+

** Tags added: sts

** Patch added: "oracular.debdiff"
   https://bugs.launchpad.net/cloud-archive/epoxy/+bug/2067075/+attachment/5884258/+files/oracular.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/2067075

Title:
  [SRU] Horizon Identity Domain Panel is broken in Caracal+

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive dalmatian series:
  New
Status in Ubuntu Cloud Archive epoxy series:
  Fix Released
Status in Ubuntu Cloud Archive flamingo series:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Noble:
  New
Status in horizon source package in Oracular:
  New
Status in horizon source package in Plucky:
  Fix Released
Status in horizon source package in Questing:
  Fix Released

Bug description:
  [Impact]

  Since Caracal, when using domain-scoped token, keystone only returns
  the domain the token is scoped to when listing domains.

  Since Horizon does some behind-the-scenes swap of token scope when
  doing some requests to Keystone, this breaks the Identity->Domains
  panel for admins.

  The fix forces the domain_list call to always use the original auth
  scope, w/o a swap to the domain-scoped token.

  [Test Case]

  This issue can be easily reproduced by following these steps:

  1, Set up an openstack Caracal env with horizon
  2, Log in to horizon dashboard as an admin user
  3, Navigate to the 'Identity->Domains' panel

  You will notice that only the admin user is listed - https://imgur.com/a/e6dbh2v
  other domains can be listed after applying the fix - https://imgur.com/a/vLd6Mcr

  [Where problems could occur]

  We are changing the domain_list call to always use the original auth
  scope, so any regression issues will be limited to 'Identity->Domains'
  panel only.

  [Other info]

  This issue started with Caracal release, and this was fixed upstream
  by:

  $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d
  25.2.0
  25.3.0
  25.4.0
  $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
    origin/stable/2024.2
  $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
  <empty>
  $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e
  24.0.1

  For UA, the fix is already in Questing(ubuntu 25.10,
  4:25.3.0-0ubuntu1), Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1),
  backporting is still required for: oracular(ubuntu 24.10,
  4:25.1.0-0ubuntu1.1) and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3)

  For UCA, the fix is already in flamingo(2025.2,
  4:25.3.0-0ubuntu1~cloud0), eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0),
  backporting is still required for: dalmatian(2024.2,
  4:25.1.0-0ubuntu1.1~cloud0) and caracal(2024.1
  4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to inclusion in
  UA.

  == ORIGINAL DESCRIPTION ==

  Starting with Caracal release, Identity Domains Panel is broken, as it
  only ever lists that domain that the user belongs to.

  Devstack/Master, logged as admin (devstack-admin creds in
  /etc/openstack/clouds.yaml).

  With default Horizon settings, I only ever see Default domain, even if
  I manually create some more. And I do not have an option to create
  domains from UI as well. This is because AFAIU the ability to create
  domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by
  default), which is waaay legacy IMO. This option is quite overloaded
  in Horizon code, but that's a different question.

  When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
  local_settings.py, I can create domains from UI, but I still can not
  see any other domain other than the domain of the user.

  I tracked it to this piece of code that replaces the scope to the domain one for admins
  https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
  plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2067075/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list