[Bug 2067075] Re: [SRU] Horizon Identity Domain Panel is broken in Caracal+

Hua Zhang 2067075 at bugs.launchpad.net
Tue Jun 17 05:46:03 UTC 2025 

** Description changed:

  [Impact]
  
- Since Caracal, when using domain-scoped token, keystone only returns
- the domain the token is scoped to when listing domains.
+ Since Caracal, when using domain-scoped token, keystone only returns the
+ domain the token is scoped to when listing domains.
  
- Since Horizon does some behind-the-scenes swap of token scope when
- doing some requests to Keystone, this breaks the Identity->Domains panel
- for admins.
+ Since Horizon does some behind-the-scenes swap of token scope when doing
+ some requests to Keystone, this breaks the Identity->Domains panel for
+ admins.
  
- The fix forces the domain_list call to always use the original
- auth scope, w/o a swap to the domain-scoped token.
- 
+ The fix forces the domain_list call to always use the original auth
+ scope, w/o a swap to the domain-scoped token.
  
  [Test Case]
  
  This issue can be easily reproduced by following these steps:
  
  1, Set up an openstack Caracal env with horizon
  2, Log in to horizon dashboard as an admin user
  3, Navigate to the 'Identity->Domains' panel
  
- You will notice that only the admin user is listed.
+ You will notice that only the admin user is listed - https://imgur.com/a/e6dbh2v
+ other domains can be listed after applying the fix - https://imgur.com/a/vLd6Mcr
  
  [Where problems could occur]
  
- We are changing the domain_list call to always use the original
- auth scope, so any regression issues will be limited to
- 'Identity->Domains' panel only.
- 
+ We are changing the domain_list call to always use the original auth
+ scope, so any regression issues will be limited to 'Identity->Domains'
+ panel only.
  
  [Other info]
  
  This issue started with Caracal release, and this was fixed upstream by:
  
  $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d
  25.2.0
  25.3.0
  25.4.0
  $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
-   origin/stable/2024.2
+   origin/stable/2024.2
  $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
  <empty>
  $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e
  24.0.1
  
- For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1), 
- Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), 
- backporting is still required for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) 
- and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3)
+ For UA, the fix is already in Questing(ubuntu 25.10, 4:25.3.0-0ubuntu1),
+ Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1), backporting is still required
+ for: oracular(ubuntu 24.10, 4:25.1.0-0ubuntu1.1) and noble(ubuntu 24.04,
+ 4:24.0.0-0ubuntu1.3)
  
- For UCA, the fix is already in flamingo(2025.2, 4:25.3.0-0ubuntu1~cloud0), 
- eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0), 
- backporting is still required for: dalmatian(2024.2, 4:25.1.0-0ubuntu1.1~cloud0)
-  and caracal(2024.1 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to 
- inclusion in UA.
+ For UCA, the fix is already in flamingo(2025.2,
+ 4:25.3.0-0ubuntu1~cloud0), eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0),
+ backporting is still required for: dalmatian(2024.2,
+ 4:25.1.0-0ubuntu1.1~cloud0) and caracal(2024.1
+ 4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to inclusion in
+ UA.
  
  == ORIGINAL DESCRIPTION ==
  
  Starting with Caracal release, Identity Domains Panel is broken, as it
  only ever lists that domain that the user belongs to.
  
  Devstack/Master, logged as admin (devstack-admin creds in
  /etc/openstack/clouds.yaml).
  
  With default Horizon settings, I only ever see Default domain, even if I
  manually create some more. And I do not have an option to create domains
  from UI as well. This is because AFAIU the ability to create domains is
  tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by default), which
  is waaay legacy IMO. This option is quite overloaded in Horizon code,
  but that's a different question.
  
  When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
  local_settings.py, I can create domains from UI, but I still can not see
  any other domain other than the domain of the user.
  
  I tracked it to this piece of code that replaces the scope to the domain one for admins
  https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
  plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/2067075

Title:
  [SRU] Horizon Identity Domain Panel is broken in Caracal+

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive dalmatian series:
  New
Status in Ubuntu Cloud Archive epoxy series:
  Fix Released
Status in Ubuntu Cloud Archive flamingo series:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Noble:
  New
Status in horizon source package in Oracular:
  New
Status in horizon source package in Plucky:
  Fix Released
Status in horizon source package in Questing:
  Fix Released

Bug description:
  [Impact]

  Since Caracal, when using domain-scoped token, keystone only returns
  the domain the token is scoped to when listing domains.

  Since Horizon does some behind-the-scenes swap of token scope when
  doing some requests to Keystone, this breaks the Identity->Domains
  panel for admins.

  The fix forces the domain_list call to always use the original auth
  scope, w/o a swap to the domain-scoped token.

  [Test Case]

  This issue can be easily reproduced by following these steps:

  1, Set up an openstack Caracal env with horizon
  2, Log in to horizon dashboard as an admin user
  3, Navigate to the 'Identity->Domains' panel

  You will notice that only the admin user is listed - https://imgur.com/a/e6dbh2v
  other domains can be listed after applying the fix - https://imgur.com/a/vLd6Mcr

  [Where problems could occur]

  We are changing the domain_list call to always use the original auth
  scope, so any regression issues will be limited to 'Identity->Domains'
  panel only.

  [Other info]

  This issue started with Caracal release, and this was fixed upstream
  by:

  $ git tag --contains 964623e16baaf8d2902e6000b2cec62bea14d15d
  25.2.0
  25.3.0
  25.4.0
  $ git branch -r --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
    origin/stable/2024.2
  $ git tag --contains 23d0b9525f7c11288d503123e29db0bd66f9ca88
  <empty>
  $ git tag --contains b06ce1c2a1baa6bd53e70f407cd2194aadcf169e
  24.0.1

  For UA, the fix is already in Questing(ubuntu 25.10,
  4:25.3.0-0ubuntu1), Plucky(ubuntu 25.04, 4:25.3.0-0ubuntu1),
  backporting is still required for: oracular(ubuntu 24.10,
  4:25.1.0-0ubuntu1.1) and noble(ubuntu 24.04, 4:24.0.0-0ubuntu1.3)

  For UCA, the fix is already in flamingo(2025.2,
  4:25.3.0-0ubuntu1~cloud0), eproxy(2025.1, 4:25.3.0-0ubuntu1~cloud0),
  backporting is still required for: dalmatian(2024.2,
  4:25.1.0-0ubuntu1.1~cloud0) and caracal(2024.1
  4:24.0.0-0ubuntu1.3~cloud0), but no debdiff needed due to inclusion in
  UA.

  == ORIGINAL DESCRIPTION ==

  Starting with Caracal release, Identity Domains Panel is broken, as it
  only ever lists that domain that the user belongs to.

  Devstack/Master, logged as admin (devstack-admin creds in
  /etc/openstack/clouds.yaml).

  With default Horizon settings, I only ever see Default domain, even if
  I manually create some more. And I do not have an option to create
  domains from UI as well. This is because AFAIU the ability to create
  domains is tied to OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT (False by
  default), which is waaay legacy IMO. This option is quite overloaded
  in Horizon code, but that's a different question.

  When I enable the OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in my
  local_settings.py, I can create domains from UI, but I still can not
  see any other domain other than the domain of the user.

  I tracked it to this piece of code that replaces the scope to the domain one for admins
  https://opendev.org/openstack/horizon/src/branch/stable/2024.1/openstack_dashboard/api/keystone.py#L153-L163 ,
  plus a recent change in Keystone https://review.opendev.org/c/openstack/keystone/+/900028 that started forcing domain tokens to only be able to list their own domains.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2067075/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list