Commit Graph

95 Commits

Author SHA1 Message Date
Timur Sufiev
f09a9ce4c7 Use the new fix_auth_url_version_prefix() call
It is a variation of existing fix_auth_url_version() call which
returns as a second value a boolean flag indicating whether the
auth_url was fixed to point to /v3 endpoint. So we could display a
more clear message to deployers from Horizon, based on the value of
this flag. The legacy fix_auth_url_version() call is to be phased out
as soon as Horizon cease to depend on it. Also provide a release note
about removing the old function.

Change-Id: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Depends-On: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
2016-12-16 14:48:32 +03:00
Jenkins
86bec0003e Merge "Wrap api calls with tracing decorators" 2016-12-02 11:59:40 +00:00
Jenkins
e83069a2c3 Merge "Make default domain usage consistent" 2016-12-02 01:17:18 +00:00
Paul Karikh
97945b5f6a Wrap api calls with tracing decorators
Since Horizon is going to be the first (or, one of the first)
OpenStack component using the new MongoDB driver, it won't be able to
retrieve traces made by other components using MongoDB driver (which
it should use because Ceilometer driver was too slow) for a
while. This means that Horizon itself is responsible for tracing the
rendering of its pages down to the layer where the flow of control
leaves Horizon domain. So, a lot of api wrappers in
openstack_dashboard.api are augmented with tracing decorator to
achieve this goal.

Co-Authored-By: Timur Sufiev <tsufiev@mirantis.com>
Implements-blueprint: openstack-profiler-at-developer-dashboard
Change-Id: Ib36692f0e9e68ed7fa0cd47919ba6581c9c8ab57
2016-12-01 19:31:10 +00:00
Colleen Murphy
2c104cc770 Make default domain usage consistent
The description for the OPENSTACK_KEYSTONE_DEFAULT_DOMAIN django
variable claims it refers to the ID of the domain. However, the
authenticate method of django_openstack_auth explicitly uses the name
when it requests a token[1], and when multidomain support is enabled
the user is asked for the domain name, not ID. If the operator tries to
set this variable to the ID of any domain besides keystone's own
Default domain, login will fail with "Could not find domain: <domain
ID>" in the keystone logs.  This patch forces horizon to use the
variable as a name instead of an ID and updates the comment, so that
everything using this variable is consistent with each other.

This wasn't caught before because the unit tests were only testing
against the default domain, so this patch also adds a second, enabled,
non-default mock domain to test with.

[1] http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py?h=2.4.1#n148

Change-Id: I4d16f831c9fc446859c9fb964b7609d5a76338fe
2016-11-28 12:41:06 +01:00
Kam Nasim
55baf9254d "Unable to retrieve Domain" incessant warning logs
"openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
incessant warning logging when switching Projects while being on the
Identity>Project panel.

Retrieving domain information is a Keystone admin URL operation. As a
pre-check, such operations would be Forbidden if the logon user does not
have an 'admin' role on the current project.

Since this is a common occurence, and can cause incessant warning
logging in the horizon logs, we recognize this condition and return the
user's domain information instead.

Signed-off-by: Kam Nasim <kam.nasim@windriver.com>

Closes-Bug: #1638662
Change-Id: Iadd5184a16a73da1da5a7230c89e996248f1eba7
2016-11-02 19:38:16 +00:00
Eddie Ramirez
bc1fb4910b Server-side filtering for Identity
Implements server-side filtering in Identity->Projects

Projects (Only V3 supports server filtering)
Users (Only V3 supports server filtering)
Groups
Roles

This filtering method allows a user to filter by
several fields:
- Name
- UUID
- Enabled

Cannot implement filter by email ttps://review.openstack.org/#/c/110970/

Implements blueprint: server-side-filtering
Co-Authored-By: Daniel Castellanos <luis.daniel.castellanos@intel.com>

Change-Id: I37d6afdef84593e2779d21bec0c2f55e2794ab78
2016-09-13 10:06:27 -05:00
Kenji Ishii
ab11eef92a Supports extra properties in project and user
This change is to support extra properties in project and user.
To show an extra property in project/user table, you can customize.
The explanation of the method to add an extra property is added
by this patch.
In addition, when you do a create or update user, you can specify a
value of extra property by setting in local_settings.py

Change-Id: Ifee491f2a55d9207fe5da70136f749e1fc4bab82
Implements: blueprint support-extra-prop-for-project-and-user
2016-08-21 22:13:35 +09:00
Brad Pokorny
dd3cf51957 Remove extraneous TODOs from Identity code
There were a few TODOs left in the domain scoped tokens code that
should have been removed. They were reminders to check on things
that had already been validated by the time the code merged.

Relates to https://review.openstack.org/#/c/148082/

Change-Id: I2b914a8eeebd801fb88d43f6c75120cc365455a0
2016-07-27 02:29:56 -07:00
yuyafei
24856811d7 Correct reraising of exception
When an exception was caught and rethrown, it should call 'raise'
without any arguments because it shows the place where an exception
occured initially instead of place where the exception re-raised.

Change-Id: I12c90ac8976f5d82291a685e6a94db07e509b35b
2016-07-07 10:38:21 +00:00
Ryan Peters
6e555e8aaf Pure project admin can't view Projects page
With Domains enabled, if you create a Project, with a user
who is an admin on that project (but not a domain admin),
the Identity > Projects panel will return a 500 error.

Change-Id: I6e3bf7ab8deb86a7f051e3600a6e99ce36a4fe9f
Closes-bug: #1587951
2016-06-01 17:00:28 -05:00
Timur Sufiev
caa5e91059 Fix Keystone version suffix when Keystone webpath is present
In this patch the URLs that are coming from service catalog are fixed
to contain the proper version.

Update requirements.txt in the same commit, because otherwise
integration tests won't pass for OpenStack Proposal Bot commit which
should update DOA version.

Closes-Bug: #1585682
Depends-On: Iea9b8e8378e6c5fb4c60df0073968d8caf7fbc5e
Change-Id: Icebfc291ec2b06ed84934c75cfd8c9d91cb2a895
2016-05-31 07:58:31 +00:00
Jenkins
dfb3988da9 Merge "Bypass get_domain call to keystone api" 2016-05-13 13:59:44 +00:00
Nguyen Phuong An
d6491516d9 Using LOG.warning replace LOG.warn
This patch replaces LOG.warn by LOG.warning on
https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L222
to avoid DeprecationWarning.

Change-Id: I8cd9ea6778b356c3b1f4e0c6e95feb096792c58d
Closes-Bug: #1562731
2016-03-28 16:28:51 +07:00
daniel-a-nguyen
b1f7fc442f Bypass get_domain call to keystone api
Warning messages in horizon and keystone logs regarding the 'Federated' domain
indicate that a call to get_domain is failing.

This fix will allow horizon to not attempt calls to retrieve domains
that do not exists.  The 'Federated' domain is a virtual domain that has
no record in the keystone database.

Change-Id: Ic3225815d12472d37c4105b656c5bc75b529c359
Closes-Bug: #1557791
2016-03-17 10:56:20 -07:00
Jenkins
711f88dd47 Merge "Retrieve domain scoped token" 2016-03-11 22:20:09 +00:00
daniel-a-nguyen
2b846515f3 Retrieve domain scoped token
This patch supports using domain scoped tokens against keystone v3.

Use Cases:

Cloud Admin - view and manage identity resources across domains
Domain Admin - view and manage identity resources in the domain logged in
User - view identity project in the domain logged in

Regression:

Supports keystone v2 through local_settings.py configuration
Supports keystone v3 with multidomain = False
Supports keystone v3 with mulitdomain = True

Relates to https://review.openstack.org/#/c/141153/

Background on how to test is here
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow

Co-Authored-By: Brad Pokorny <Brad_Pokorny@symantec.com>
Co-Authored-By: Brian Tully <brian.tully@hp.com>
Co-Authored-By: Michael Hagedorn <mike.hagedorn@hp.com>
Co-Authored-By: woomatt <matt.wood@hp.com>

Partially Implements: blueprint domain-scoped-tokens

Closes-Bug: #1413851
Change-Id: Iaa19bfef9b0c70304ff81d083c62b218b2d02479
2016-03-08 15:17:38 -08:00
kenji-ishii
a9e9d715bb Add function to recreate ec2 credential
At the moment, we can view the credentials of ec2 in Horizon.
But we can not delete or update it.
When information of access key and secret key were leaked out,
it would be nice if we can regenerate a credentials via not only
CLI but also Horizon.

Thus we need to provide a function user can change ec2
credentials when user want to do it.

Change-Id: Ibaebad73eb9a869564bd7d52e2f6b69a503a60c3
Closes-Bug: #1519764
2016-03-06 15:31:23 +00:00
lin-hua-cheng
2ce5de16ee Add support for identity provider protocol CRUD
Add the protocol tab under the Identity Provider detail
panel, this allows the user to manage the protocol on
the context of the Identity Provider,

Change-Id: I0e232b174382b1bc325e04cc343ae4d50e0cfed1
Implements: blueprint keystone-federation-protocol-mapping
2016-02-16 16:04:48 -08:00
kenji-ishii
6beefb3726 Modify update user info from pencil icon in keystone v2
When we update the user info from pencil icon in User List,
data doesn't have 'project' attribute.
Therefore, date.pop('project') failed and exception occur.

The v2 API updates user model and default project separately.
And in User List, operator don't need to consider if a user
have a default tenant.
So we should check if data has a 'project' attribute and
if data has no 'project' attribute, it will update only user info.

Change-Id: I979bedeb8ddb15d3f7f171660ec9df4875edb53a
Closes-Bug: #1523343
2016-02-08 00:30:14 +00:00
lin-hua-cheng
fbf10e9dad Add basic CRUD for federation mapping
Change-Id: Ie3991efda6d2437821f67e3c87e111886578e830
Partially-Implements: blueprint keystone-federation-mapping
2016-02-04 00:10:46 +00:00
lin-hua-cheng
6ecc3d2973 Add support for identity provider management
Display the identity provider panel when the setting
OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT is set to True.

Change-Id: Iadf92eb7542013f9c212eccfa372c6335a319841
Implements: blueprint keystone-federation-idp
2016-01-21 18:40:13 -08:00
Jenkins
749e436c63 Merge "Update default_project param on create user" 2015-09-14 10:54:48 +00:00
Victor Stinner
4057ff2569 py3: Replace unicode with six.text_type
Initial patch generated by:

    sixer.py unicode horizon openstack_dashboard/ tools/

Partial-Implements: blueprint porting-python3
Change-Id: I8bdec74fbe32a6ff0e65f2f0810a0c698a3b9637
2015-08-27 01:26:02 +02:00
Victor Stinner
c25d76646d py3: use @six.python_2_unicode_compatible
Put the @six.python_2_unicode_compatible decorator on classes defining a
__unicode__() method to support Python 3, and rename __unicode__() to
__str__().

Partial-Implements: blueprint porting-python3
Change-Id: I0be33e1a777c98e02140ef9eafaf0c1068a7f408
2015-08-20 15:50:46 -07:00
Yi Ming Zhao
3199602d23 Fix incorrect error message displayed while creating duplicate project
Currently, 1) if try to create an existing user from the dashboard.
it will throw error "user name <name> is already used."
===> This means the issue for users is fixed.
2) if if try to create an existing project from the dashboard.
it will throw error "Unable to create project <name>"
===> I fixed this message to "project <name> is already used."
which is the same as user, when try to create an existing project from the dashboard

Change-Id: I2dc7b8e6b43f2ef8bbeed37df9710f63a63f3a0e
Closes-Bug: #1155008
2015-08-07 02:24:32 -04:00
David Lyle
49f9d15488 Update default_project param on create user
In keystone v3, the parameter to create user for the the default project
has changed from project to default_project and is no longer honored and
throws an exception. Also passing in '' rather than None causes keystone
issues, so moving to None.

Closes-Bug: #1478143
Change-Id: I73423433a42bf46769065a269a3c35f27175f185
2015-07-27 10:34:26 -06:00
Cindy Lu
a515a0de2f Add keystone version to REST API
Change-Id: Ice72447a222552772da307e324e15f7dbdb30ee0
Partially-Implements: blueprint filtered-client-side-table
2015-07-14 13:30:46 -07:00
Canh Truong
cbd63f27e4 Add description field in the user table
In the user table, description column is missing when using keystone V3
This patch add the 'Description'column in User table. This also
change to add 'Description' field the user_create and user_update form.

Change-Id: I90bb7a644f8f29ae0055c6c2ffc688a9b709f300
Closes-Bug: #1463247
2015-06-24 11:22:22 +07:00
lin-hua-cheng
ca5736a2dc Fetch user's projects from request.user
Instead of hitting the backend api, the user's projects
can be fetched from request.user.

Change-Id: I9cbdeded40d4cc4f54ff0c52f5fd8ea7280ef7cf
Closes-Bug: #1439338
2015-04-01 18:57:37 +00:00
Cindy Lu
4198cbf87d Double check admin password when update user password
Add a new setting to enable a new textbox field on the Change
Password form that will double check the logged-in Admin
user's password.

For example if the logged-in admin leaves an unattended computer,
someone can change the password of the logged in user successfully.

Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>

Change-Id: Icafa8ce8ab30ec43d3f6419a77118a634a163870
Closes-Bug: #1387372
2015-03-09 17:43:29 -07:00
Cindy Lu
2cca73ff5f Rest API for Users list filter
Add the filter functionality that Keystone supports.
Used by Randy's Magic Search patch:
https://review.openstack.org/#/c/151386/.

Also refactor out parse_filters_kwargs method which is used
by several rest api.

Co-Authored-By: Justin Pomeroy <jpomero@linux.vnet.ibm.com>

Change-Id: Ib65395eae345e1368fbb45f6b4ce3cbb9595d61b
Partially-Implements: blueprint filtered-client-side-table
2015-03-02 13:12:05 -08:00
Cindy Lu
9620cbac91 move Users Edit Password into separate form
Based on inline TODO comment.
Code refactor.
Fix unused test case (was not used as helper method and
was not prefixed with 'test_' so it was not used).

Change-Id: Ie696970b4b61d699cc4afa5174248df6c00c688d
Closes-Bug: #1402047
2015-02-18 17:50:20 -08:00
daniel-a-nguyen
771152849a Correct the policy check call in keystone
Change-Id: Ie72ea40b998352fbc9bb268d9e87b795288415e9
Closes-Bug: #1416583
2015-01-30 16:58:56 -08:00
Jenkins
5d117a1c79 Merge "fix redirect for admin user password relogin" 2015-01-06 16:16:46 +00:00
Yash Bathia
0dc91bed5c Creating a new user with an existing user name
Change error message when we create a new user
with an existing user name.

Change-Id: I795c04672a3c625be074c8af78eb169436ac3895
Closes-Bug: #1404432
2014-12-19 22:54:49 -08:00
Vlad Okhrimenko
95db4eb709 Renaming a user name with an existing user name
Change error message when we try rename user
name with an existing user name.

Change-Id: I2dbf9fee3c682a70c77544a8dd6b925311a3f019
Closes-Bug: #1389132
2014-11-24 11:53:04 +02:00
Justin Pomeroy
45ae78ce85 Honor keystone policy file when creating client
When creating the keystone client for an admin the user is checked
for the specific role of "admin" to determine if they are authorized
to use the admin URL. This patch changes this logic so that the
policy file is honored instead of a specific role.

Closes-Bug: #1336418
Change-Id: I600334dff17a5564f97cbcce67ff6d3619142961
2014-11-06 07:37:14 -06:00
Akihiro Motoki
47f1d49690 Do not log keystone token
Previously token values are logged as DEBUG level when a new client
object is instantiated. In other project and clients, token values
are now not logged and is output as *REDACTED* instead.
In Horizon these log lines do not have much meaning and
we can simply remove them.

Change-Id: I67617ac6424907574d79ec2a57b513a548e220d2
Closes-Bug: #1380642
2014-10-17 16:10:41 +09:00
Akihiro Motoki
832a741c88 Fix E128 errors in remaining openstack_dashboard/
E128 continuation line under-indented for visual indent

Closes-Bug: #1375929
Change-Id: I2a72313d359bdfe2e2667eba5d3bf9744ec8f60a
2014-10-16 16:53:52 +09:00
Rodrigo Duarte Sousa
4a155e1b2b Improve list groups roles performance
Uses GET v3/role_assignments?scope.project.id=<project_id>
to fetch groups roles in a given project, instead of doing
an individual call for every known group.

Closes-Bug: 1369137
Change-Id: Ie64dfddc0d8cbb4f22f3ee3b19c248ca6973e96c
2014-10-13 22:58:00 -03:00
Cindy Lu
59d4256bb1 fix redirect for admin user password relogin
Login as Admin, go to Identity > Users, change the Admin user's
password, you will automatically be logged out.  After logging in
again, you land on the 'Update User' panel. I expect to go to the
System Overview panel (like when I change the user's password
from Settings).

Change-Id: If80c46e3ac1b93e6da19e7d1b337a7089921c9d0
Closes-Bug: #1351511
2014-10-01 18:20:29 -07:00
lin-hua-cheng
7a7a1d1c61 Domain Role assignment to Users
Added Domain User step in the Domain Update workflow for managing
domain-role assignment to User.
Change-Id: I629449c635319e3a4292a4e2be35c5d9fc8a7cf9
Implements: blueprint user-domain-role-assignment
2014-08-22 23:56:40 -07:00
David Lyle
18e8ea810d Separating Identity Dashboard and using RBAC
Moving identity panels to their own dashboard.

RBAC is now used to determine the data to load in the identity
dashboard. Using the default policy file, a user with role member
will now be able to see their project list.

Also, adding a policy check mechanism at the panel and dashboard
level to determine which panels and dashboards the user can access.

Implements blueprint separate-identity-dash

Change-Id: I7ebfec2bf6e44899bec79d3b23c90d56a976200f
2014-08-18 16:40:56 -06:00
Jenkins
9bdc8fb45c Merge "Fix Flake8 style warnings in openstack_dashboard/" 2014-07-30 18:22:20 +00:00
Radomir Dopieralski
0eca7449cc Fix Flake8 style warnings in openstack_dashboard/
Warnings H904, H307 and H405 are new or considerably changed, and will
be fixed in a separate patch.

Closes-bug: #1349820
Partial-bug: #1347472

Change-Id: I4fd28990dacf16f03a4eaa6074ef59c37f1a2c14
2014-07-30 14:13:24 +02:00
Justin Pomeroy
03f9caa9d1 Use default_project_id as user project for keystone v3
This fixes the keystone api module so that it looks for the
default_project_id attribute on the user and uses that as the
primary project.

Closes-Bug: 1347840
Change-Id: If3ea4625ae50ae4561df3e566d1236b86226307b
2014-07-29 13:31:54 -05:00
Rodrigo Duarte Sousa
ed43be0a0f Fixes bad performance when editing project members
The bug is caused by consecutive client calls when
fetching users' roles in a project.

The fix was to use the /v3/role_assignments endpoint.
Which retrieves all roles in a single client call
(dashboards/admin/projects/workflows.py:
UpdateProjectGroupsAction and UpdateProjectUsersAction).

The compatibility to the previous keystoneclient version
is maintained.

In a scenario with 1000 users with a role in a project
(using devstack), the time to render the Modify Users
page dropped from 45s to 2.5s

Change-Id: Ic72ebea0db226faf98c5e04d00d76dedd1fb01c1
Closes-bug: #1278920
2014-07-01 12:10:20 -03:00
He Yongli
e790ac070e Remove extraneous vim configuration comments
Remove vim setting:
comment - # vim: tabstop=4 shiftwidth=4 softtabstop=4

at the top of source code files, except for files in
openstack/common.

Change-Id: I9a5c6b17c6ef7ecec601f4503dfc7b31fc72e90a
Close-bug: #1229324
2014-05-06 15:30:10 +08:00
liyingjun
48a0d07e45 Fix endpoint error when running keystone on apache
When running keystone in httpd, horizon could not generate the
right keystone endpoint url. Fixes this issue by retrieving the
whole path from the service_catalog or OPENSTACK_KEYSTONE_URL
and generating a new url.

Change-Id: Id8459947498127e47700d9f690d4ed4d5cadbba9
Closes-bug: #1295128
2014-04-25 02:38:58 +08:00