search

osism / issues

This repository is used for bug reports that are cross-project or not bound to a specific repository (or to an unknown repository).
https://www.osism.tech
1 stars 1 forks source link

Backport Horizon Patch for Application Credentials #456

Closed SebastianBiedler closed 1 year ago

SebastianBiedler commented 1 year ago

Hello,

we encounter a problem with application credentials which were created via Horizon. The Issue is described in this report

https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1827120

Can we get this introduced patch in a new horizon container version.? For our customer it is very likely that there going to use application credentials for there Apps.

berendt commented 1 year ago

Do you know if there is also a corresponding upstream change for the Horizon project?

berendt commented 1 year ago

Looks like https://review.opendev.org/c/openstack/horizon/+/856308 is the corresponding upstream change.

berendt commented 1 year ago

@SebastianBiedler Images should be available in around 2 hours. Please then test with the rolling tag for the used release. I added the back port to Xena, Yoga + Zed.

SebastianBiedler commented 1 year ago

We updated the container images to the new version this morning. When I create a application credential it still have no Project ID and it seems that the issue is still there.

osfrickler commented 1 year ago

Can you please confirm the version of the horizon container that you are running (docker inspect horizon | jq .[0].Config.Labels) and the exact steps you are using to reproduce this?

SebastianBiedler commented 1 year ago

{ "build-date": "20230223", "de.osism.commit.docker_images_kolla": "085837c", "de.osism.commit.kolla": "b6f51a7bb", "de.osism.commit.kolla_version": "14.9.1", "de.osism.commit.release": "21e12fd", "de.osism.release.openstack": "yoga", "de.osism.version": "latest", "kolla_version": "yoga", "name": "horizon", "org.opencontainers.image.created": "2023-02-23T00:17:29.882130+00:00", "org.opencontainers.image.documentation": "https://docs.osism.tech", "org.opencontainers.image.licenses": "ASL 2.0", "org.opencontainers.image.ref.name": "ubuntu", "org.opencontainers.image.source": "https://github.com/osism/container-images-kolla", "org.opencontainers.image.title": "horizon", "org.opencontainers.image.url": "https://www.osism.tech", "org.opencontainers.image.vendor": "OSISM GmbH", "org.opencontainers.image.version": "latest" }

When I create an Application Credential in Horizon the Project ID is still "None"

berendt commented 1 year ago

My fault. I added the backport to the wrong location. New build is currently running. Please update the images tomorrow again. The backport should be included then.

SebastianBiedler commented 1 year ago

"build-date": "20230228", "de.osism.commit.docker_images_kolla": "38a1bca", "de.osism.commit.kolla": "c7164c8f7", "de.osism.commit.kolla_version": "14.9.1", "de.osism.commit.release": "ef1ac4d", "de.osism.release.openstack": "yoga", "de.osism.version": "latest", "kolla_version": "yoga", "name": "horizon", "org.opencontainers.image.created": "2023-02-28T00:17:14.713524+00:00", "org.opencontainers.image.documentation": "https://docs.osism.tech", "org.opencontainers.image.licenses": "ASL 2.0", "org.opencontainers.image.ref.name": "ubuntu", "org.opencontainers.image.source": "https://github.com/osism/container-images-kolla", "org.opencontainers.image.title": "horizon", "org.opencontainers.image.url": "https://www.osism.tech", "org.opencontainers.image.vendor": "OSISM GmbH", "org.opencontainers.image.version": "latest"

I updated horizon, but the application credential showing that the project id is still "None"

berendt commented 1 year ago

Then the suggested backport does not seem to solve the problem. Are any other backports necessary?

osfrickler commented 1 year ago

I could still not reproduce the issue, either with the patch or without it. Can you please share details about the user account you are testing this with (project-admin, domain-admin?) and the exact steps you are taking? Is this a local user account?

SebastianBiedler commented 1 year ago

I tested the created the credential also with a ctl client. The issue remains that with these credential it isn't possible to get a project scope token. I am not aware of any other backports.

The Problem is as mention, in the bug report. When you have different domains and the user is member of projects in different domains that in horizon the project id is set to none. When you create on the cli application credentials there are working.

In our case the user comes from domain A and I am trying to create creds for a project that exists in domain B. The user is also admin in this project.

berendt commented 1 year ago

If the problem also occurs with the CLI then it is unlikely that we will fix it with a backport for Horizon. Then a backport for Keystone will be necessary.

Can you share the commands how to reproduce this via CLI.

SebastianBiedler commented 1 year ago

The problem not occurs on the cli. As I mention these creds are working

osfrickler commented 1 year ago

O.k., I tried to reproduce this and failed again. Here are the complete steps that I did, please cross-check against your setup:

The resulting credentials contain the project ID for projB and work just fine to access that project.

SebastianBiedler commented 1 year ago

I ran some test by my own. It seems that horizon cannot set the domain context automatically. When I set the domain context manually than I am able to create a Application Credentials with a project id set.

From my site it should be sufficient to set the domain context manually in case the project id is missing. So the issue can be closed.

berendt commented 1 year ago

@SebastianBiedler Would you like to open an issue for documentation upstream at Horizon? Maybe it is relevant for someone and they fix it. However, I would rather not assume that.