Public bug reported:
We have a Mitaka deployment in which users can login using an external
SSO service and the Keystone external authentication protocol and are
mapped to a Keytone domain. Domain admin users from that domain can't
perform any admin operations in the frontend because Horizon doesn't
obtain a domain scoped token.
With external authentication, Keystone tokens always have the user
domain present, so this shouldn't be an issue in Horizon.
In my opinion, the bug is in the django_openstack_auth project. Here, on
the websso path, I think the user domain is expected to be provided by
the user in the login page, which, of course, isn't possible for websso.
As a solution, the unscoped Keystone token can be checked for the user
domain.
I have attached a patch for the 2.2.1 tag of django_openstack_auth.
Seeing code here hasn't been modified in a long time, the bug should
manifest itself in the newest version of Horizon.
** Affects: horizon
Importance: Undecided
Status: New
** Tags: dashboard-core
** Patch added: "Patch django_openstack_auth tag 2.2.1"
https://bugs.launchpad.net/bugs/1655560/+attachment/4802757/+files/websso_domain.patch
** Description changed:
We have a Mitaka deployment in which users can login using an external
SSO service and the Keystone external authentication protocol and are
mapped to a Keytone domain. Domain admin users from that domain can't
perform any admin operations in the frontend because Horizon doesn't
obtain a domain scoped token.
With external authentication, Keystone tokens always have the user
domain present, so this shouldn't be an issue in Horizon.
In my opinion, the bug is in the django_openstack_auth project. Here, on
the websso path, I think the user domain is expected to be provided by
the user in the login page, which, of course, isn't possible for websso.
As a solution, the unscoped Keystone token can be checked for the user
domain.
I have attached a patch for the 2.2.1 tag of django_openstack_auth.
Seeing code here hasn't been modified in a long time, the bug should
- manifest in the newest version of Horizon.
+ manifest itself in the newest version of Horizon.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1655560
Title:
Horizon doesn't obtain domain scoped tokens for users coming through
websso
Status in OpenStack Dashboard (Horizon):
New
Bug description:
We have a Mitaka deployment in which users can login using an external
SSO service and the Keystone external authentication protocol and are
mapped to a Keytone domain. Domain admin users from that domain can't
perform any admin operations in the frontend because Horizon doesn't
obtain a domain scoped token.
With external authentication, Keystone tokens always have the user
domain present, so this shouldn't be an issue in Horizon.
In my opinion, the bug is in the django_openstack_auth project. Here,
on the websso path, I think the user domain is expected to be provided
by the user in the login page, which, of course, isn't possible for
websso.
As a solution, the unscoped Keystone token can be checked for the user
domain.
I have attached a patch for the 2.2.1 tag of django_openstack_auth.
Seeing code here hasn't been modified in a long time, the bug should
manifest itself in the newest version of Horizon.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1655560/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
