103 Commits

Author SHA1 Message Date
Zuul
211c543fa4 Merge "Support include_names argument for keystone role assignement list" 2017-11-11 08:43:22 +00:00
Sam Morrison
e98eb20555 Support include_names argument for keystone role assignement list
This has been supported in the keystone API since version 3.6
Although not used in horizon (yet) some third party plugins may
require this.

Closes-Bug: #1729449

Change-Id: I961c1681b757134037ae767ac750afa36476d630
2017-11-01 21:50:59 +00:00
Ivan Kolodyazhny
65baa5fa6d Do not fail on AdminUpdateRow if tenant is not found
We still can show instance info on admin/instances page even if tenant
is deleted or we can't retrieve tenant's information.

Change-Id: Idb1a5ffbb4103cce5258657d559bf4fe784b98d6
Closes-Bug: #1712565
2017-10-04 23:04:35 +03:00
Jenkins
bfaa4e64ec Merge "Use publicURL as default of OPENSTACK_ENDPOINT_TYPE consistently" 2017-06-13 13:14:12 +00:00
Akihiro Motoki
b9d0243c33 Fix H405 (multi line docstring) warnings (openstack_dashboard)
H405: multi line docstring summary not separated with an empty line

Closes-Bug: #1696996

Change-Id: Id895695663b19522d9cdc22f8b012e49680d708b
2017-06-09 16:05:31 +00:00
andrewbogott
0c775b73b3 keystone api: Fix a typo that broke the check for MULTIDOMAIN_SUPPORT
Change-Id: I3937bfc0e4a244daea2e26cc998e86d51bd07d91
2017-06-02 05:53:28 -05:00
Akihiro Motoki
49c6cdca92 Use publicURL as default of OPENSTACK_ENDPOINT_TYPE consistently
The current default settings of openstack_dashboard OPENSTACK_ENDPOINT_TYPE
has two default values 'publicURL' and 'internalURL' and this leads to
require both endpoints in deployments.

Having two default values for one setting is confusing. The comment in
local_settings.py says OPENSTACK_ENDPOINT_TYPE defaults to publicURL
and operators does not think internalURL is used.

I believe there is no negative side because if operators want to
deploy horizon out side of their OpenStack clouds they use publicURL
and if they want to deploy horizon behind load balancer or something
they would use internalURL as OPENSTACK_ENDPOINT_TYPE.

This also help the current devstack setup which only configures
public endpoint (interface) and Horizon does not work by default
for Identity dashboard.

Closes-Bug: #1686717
Change-Id: If5c7bbc5188f6df65661c41d777a9c7846fe9008
2017-04-27 13:31:31 +00:00
Gábor Antal
34a3aa0ba8 Handle log message interpolation by the logger
According to OpenStack Guideline[1], logged string message should be
interpolated by the logger.

[1]: http://docs.openstack.org/developer/oslo.i18n/guidelines.html#adding-variables-to-log-messages
Change-Id: I51f50935f1eeffe4960562d6309dfdf05814e595
Closes-Bug: #1596829
2017-03-31 20:59:16 +09:00
Timur Sufiev
f09a9ce4c7 Use the new fix_auth_url_version_prefix() call
It is a variation of existing fix_auth_url_version() call which
returns as a second value a boolean flag indicating whether the
auth_url was fixed to point to /v3 endpoint. So we could display a
more clear message to deployers from Horizon, based on the value of
this flag. The legacy fix_auth_url_version() call is to be phased out
as soon as Horizon cease to depend on it. Also provide a release note
about removing the old function.

Change-Id: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Depends-On: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
2016-12-16 14:48:32 +03:00
Jenkins
86bec0003e Merge "Wrap api calls with tracing decorators" 2016-12-02 11:59:40 +00:00
Jenkins
e83069a2c3 Merge "Make default domain usage consistent" 2016-12-02 01:17:18 +00:00
Paul Karikh
97945b5f6a Wrap api calls with tracing decorators
Since Horizon is going to be the first (or, one of the first)
OpenStack component using the new MongoDB driver, it won't be able to
retrieve traces made by other components using MongoDB driver (which
it should use because Ceilometer driver was too slow) for a
while. This means that Horizon itself is responsible for tracing the
rendering of its pages down to the layer where the flow of control
leaves Horizon domain. So, a lot of api wrappers in
openstack_dashboard.api are augmented with tracing decorator to
achieve this goal.

Co-Authored-By: Timur Sufiev <tsufiev@mirantis.com>
Implements-blueprint: openstack-profiler-at-developer-dashboard
Change-Id: Ib36692f0e9e68ed7fa0cd47919ba6581c9c8ab57
2016-12-01 19:31:10 +00:00
Colleen Murphy
2c104cc770 Make default domain usage consistent
The description for the OPENSTACK_KEYSTONE_DEFAULT_DOMAIN django
variable claims it refers to the ID of the domain. However, the
authenticate method of django_openstack_auth explicitly uses the name
when it requests a token[1], and when multidomain support is enabled
the user is asked for the domain name, not ID. If the operator tries to
set this variable to the ID of any domain besides keystone's own
Default domain, login will fail with "Could not find domain: <domain
ID>" in the keystone logs.  This patch forces horizon to use the
variable as a name instead of an ID and updates the comment, so that
everything using this variable is consistent with each other.

This wasn't caught before because the unit tests were only testing
against the default domain, so this patch also adds a second, enabled,
non-default mock domain to test with.

[1] http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py?h=2.4.1#n148

Change-Id: I4d16f831c9fc446859c9fb964b7609d5a76338fe
2016-11-28 12:41:06 +01:00
Kam Nasim
55baf9254d "Unable to retrieve Domain" incessant warning logs
"openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
incessant warning logging when switching Projects while being on the
Identity>Project panel.

Retrieving domain information is a Keystone admin URL operation. As a
pre-check, such operations would be Forbidden if the logon user does not
have an 'admin' role on the current project.

Since this is a common occurence, and can cause incessant warning
logging in the horizon logs, we recognize this condition and return the
user's domain information instead.

Signed-off-by: Kam Nasim <kam.nasim@windriver.com>

Closes-Bug: #1638662
Change-Id: Iadd5184a16a73da1da5a7230c89e996248f1eba7
2016-11-02 19:38:16 +00:00
Eddie Ramirez
bc1fb4910b Server-side filtering for Identity
Implements server-side filtering in Identity->Projects

Projects (Only V3 supports server filtering)
Users (Only V3 supports server filtering)
Groups
Roles

This filtering method allows a user to filter by
several fields:
- Name
- UUID
- Enabled

Cannot implement filter by email ttps://review.openstack.org/#/c/110970/

Implements blueprint: server-side-filtering
Co-Authored-By: Daniel Castellanos <luis.daniel.castellanos@intel.com>

Change-Id: I37d6afdef84593e2779d21bec0c2f55e2794ab78
2016-09-13 10:06:27 -05:00
Kenji Ishii
ab11eef92a Supports extra properties in project and user
This change is to support extra properties in project and user.
To show an extra property in project/user table, you can customize.
The explanation of the method to add an extra property is added
by this patch.
In addition, when you do a create or update user, you can specify a
value of extra property by setting in local_settings.py

Change-Id: Ifee491f2a55d9207fe5da70136f749e1fc4bab82
Implements: blueprint support-extra-prop-for-project-and-user
2016-08-21 22:13:35 +09:00
Brad Pokorny
dd3cf51957 Remove extraneous TODOs from Identity code
There were a few TODOs left in the domain scoped tokens code that
should have been removed. They were reminders to check on things
that had already been validated by the time the code merged.

Relates to https://review.openstack.org/#/c/148082/

Change-Id: I2b914a8eeebd801fb88d43f6c75120cc365455a0
2016-07-27 02:29:56 -07:00
yuyafei
24856811d7 Correct reraising of exception
When an exception was caught and rethrown, it should call 'raise'
without any arguments because it shows the place where an exception
occured initially instead of place where the exception re-raised.

Change-Id: I12c90ac8976f5d82291a685e6a94db07e509b35b
2016-07-07 10:38:21 +00:00
Ryan Peters
6e555e8aaf Pure project admin can't view Projects page
With Domains enabled, if you create a Project, with a user
who is an admin on that project (but not a domain admin),
the Identity > Projects panel will return a 500 error.

Change-Id: I6e3bf7ab8deb86a7f051e3600a6e99ce36a4fe9f
Closes-bug: #1587951
2016-06-01 17:00:28 -05:00
Timur Sufiev
caa5e91059 Fix Keystone version suffix when Keystone webpath is present
In this patch the URLs that are coming from service catalog are fixed
to contain the proper version.

Update requirements.txt in the same commit, because otherwise
integration tests won't pass for OpenStack Proposal Bot commit which
should update DOA version.

Closes-Bug: #1585682
Depends-On: Iea9b8e8378e6c5fb4c60df0073968d8caf7fbc5e
Change-Id: Icebfc291ec2b06ed84934c75cfd8c9d91cb2a895
2016-05-31 07:58:31 +00:00
Jenkins
dfb3988da9 Merge "Bypass get_domain call to keystone api" 2016-05-13 13:59:44 +00:00
Nguyen Phuong An
d6491516d9 Using LOG.warning replace LOG.warn
This patch replaces LOG.warn by LOG.warning on
https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L222
to avoid DeprecationWarning.

Change-Id: I8cd9ea6778b356c3b1f4e0c6e95feb096792c58d
Closes-Bug: #1562731
2016-03-28 16:28:51 +07:00
daniel-a-nguyen
b1f7fc442f Bypass get_domain call to keystone api
Warning messages in horizon and keystone logs regarding the 'Federated' domain
indicate that a call to get_domain is failing.

This fix will allow horizon to not attempt calls to retrieve domains
that do not exists.  The 'Federated' domain is a virtual domain that has
no record in the keystone database.

Change-Id: Ic3225815d12472d37c4105b656c5bc75b529c359
Closes-Bug: #1557791
2016-03-17 10:56:20 -07:00
Jenkins
711f88dd47 Merge "Retrieve domain scoped token" 2016-03-11 22:20:09 +00:00
daniel-a-nguyen
2b846515f3 Retrieve domain scoped token
This patch supports using domain scoped tokens against keystone v3.

Use Cases:

Cloud Admin - view and manage identity resources across domains
Domain Admin - view and manage identity resources in the domain logged in
User - view identity project in the domain logged in

Regression:

Supports keystone v2 through local_settings.py configuration
Supports keystone v3 with multidomain = False
Supports keystone v3 with mulitdomain = True

Relates to https://review.openstack.org/#/c/141153/

Background on how to test is here
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow

Co-Authored-By: Brad Pokorny <Brad_Pokorny@symantec.com>
Co-Authored-By: Brian Tully <brian.tully@hp.com>
Co-Authored-By: Michael Hagedorn <mike.hagedorn@hp.com>
Co-Authored-By: woomatt <matt.wood@hp.com>

Partially Implements: blueprint domain-scoped-tokens

Closes-Bug: #1413851
Change-Id: Iaa19bfef9b0c70304ff81d083c62b218b2d02479
2016-03-08 15:17:38 -08:00
kenji-ishii
a9e9d715bb Add function to recreate ec2 credential
At the moment, we can view the credentials of ec2 in Horizon.
But we can not delete or update it.
When information of access key and secret key were leaked out,
it would be nice if we can regenerate a credentials via not only
CLI but also Horizon.

Thus we need to provide a function user can change ec2
credentials when user want to do it.

Change-Id: Ibaebad73eb9a869564bd7d52e2f6b69a503a60c3
Closes-Bug: #1519764
2016-03-06 15:31:23 +00:00
lin-hua-cheng
2ce5de16ee Add support for identity provider protocol CRUD
Add the protocol tab under the Identity Provider detail
panel, this allows the user to manage the protocol on
the context of the Identity Provider,

Change-Id: I0e232b174382b1bc325e04cc343ae4d50e0cfed1
Implements: blueprint keystone-federation-protocol-mapping
2016-02-16 16:04:48 -08:00
kenji-ishii
6beefb3726 Modify update user info from pencil icon in keystone v2
When we update the user info from pencil icon in User List,
data doesn't have 'project' attribute.
Therefore, date.pop('project') failed and exception occur.

The v2 API updates user model and default project separately.
And in User List, operator don't need to consider if a user
have a default tenant.
So we should check if data has a 'project' attribute and
if data has no 'project' attribute, it will update only user info.

Change-Id: I979bedeb8ddb15d3f7f171660ec9df4875edb53a
Closes-Bug: #1523343
2016-02-08 00:30:14 +00:00
lin-hua-cheng
fbf10e9dad Add basic CRUD for federation mapping
Change-Id: Ie3991efda6d2437821f67e3c87e111886578e830
Partially-Implements: blueprint keystone-federation-mapping
2016-02-04 00:10:46 +00:00
lin-hua-cheng
6ecc3d2973 Add support for identity provider management
Display the identity provider panel when the setting
OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT is set to True.

Change-Id: Iadf92eb7542013f9c212eccfa372c6335a319841
Implements: blueprint keystone-federation-idp
2016-01-21 18:40:13 -08:00
Jenkins
749e436c63 Merge "Update default_project param on create user" 2015-09-14 10:54:48 +00:00
Victor Stinner
4057ff2569 py3: Replace unicode with six.text_type
Initial patch generated by:

    sixer.py unicode horizon openstack_dashboard/ tools/

Partial-Implements: blueprint porting-python3
Change-Id: I8bdec74fbe32a6ff0e65f2f0810a0c698a3b9637
2015-08-27 01:26:02 +02:00
Victor Stinner
c25d76646d py3: use @six.python_2_unicode_compatible
Put the @six.python_2_unicode_compatible decorator on classes defining a
__unicode__() method to support Python 3, and rename __unicode__() to
__str__().

Partial-Implements: blueprint porting-python3
Change-Id: I0be33e1a777c98e02140ef9eafaf0c1068a7f408
2015-08-20 15:50:46 -07:00
Yi Ming Zhao
3199602d23 Fix incorrect error message displayed while creating duplicate project
Currently, 1) if try to create an existing user from the dashboard.
it will throw error "user name <name> is already used."
===> This means the issue for users is fixed.
2) if if try to create an existing project from the dashboard.
it will throw error "Unable to create project <name>"
===> I fixed this message to "project <name> is already used."
which is the same as user, when try to create an existing project from the dashboard

Change-Id: I2dc7b8e6b43f2ef8bbeed37df9710f63a63f3a0e
Closes-Bug: #1155008
2015-08-07 02:24:32 -04:00
David Lyle
49f9d15488 Update default_project param on create user
In keystone v3, the parameter to create user for the the default project
has changed from project to default_project and is no longer honored and
throws an exception. Also passing in '' rather than None causes keystone
issues, so moving to None.

Closes-Bug: #1478143
Change-Id: I73423433a42bf46769065a269a3c35f27175f185
2015-07-27 10:34:26 -06:00
Cindy Lu
a515a0de2f Add keystone version to REST API
Change-Id: Ice72447a222552772da307e324e15f7dbdb30ee0
Partially-Implements: blueprint filtered-client-side-table
2015-07-14 13:30:46 -07:00
Canh Truong
cbd63f27e4 Add description field in the user table
In the user table, description column is missing when using keystone V3
This patch add the 'Description'column in User table. This also
change to add 'Description' field the user_create and user_update form.

Change-Id: I90bb7a644f8f29ae0055c6c2ffc688a9b709f300
Closes-Bug: #1463247
2015-06-24 11:22:22 +07:00
lin-hua-cheng
ca5736a2dc Fetch user's projects from request.user
Instead of hitting the backend api, the user's projects
can be fetched from request.user.

Change-Id: I9cbdeded40d4cc4f54ff0c52f5fd8ea7280ef7cf
Closes-Bug: #1439338
2015-04-01 18:57:37 +00:00
Cindy Lu
4198cbf87d Double check admin password when update user password
Add a new setting to enable a new textbox field on the Change
Password form that will double check the logged-in Admin
user's password.

For example if the logged-in admin leaves an unattended computer,
someone can change the password of the logged in user successfully.

Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>

Change-Id: Icafa8ce8ab30ec43d3f6419a77118a634a163870
Closes-Bug: #1387372
2015-03-09 17:43:29 -07:00
Cindy Lu
2cca73ff5f Rest API for Users list filter
Add the filter functionality that Keystone supports.
Used by Randy's Magic Search patch:
https://review.openstack.org/#/c/151386/.

Also refactor out parse_filters_kwargs method which is used
by several rest api.

Co-Authored-By: Justin Pomeroy <jpomero@linux.vnet.ibm.com>

Change-Id: Ib65395eae345e1368fbb45f6b4ce3cbb9595d61b
Partially-Implements: blueprint filtered-client-side-table
2015-03-02 13:12:05 -08:00
Cindy Lu
9620cbac91 move Users Edit Password into separate form
Based on inline TODO comment.
Code refactor.
Fix unused test case (was not used as helper method and
was not prefixed with 'test_' so it was not used).

Change-Id: Ie696970b4b61d699cc4afa5174248df6c00c688d
Closes-Bug: #1402047
2015-02-18 17:50:20 -08:00
daniel-a-nguyen
771152849a Correct the policy check call in keystone
Change-Id: Ie72ea40b998352fbc9bb268d9e87b795288415e9
Closes-Bug: #1416583
2015-01-30 16:58:56 -08:00
Jenkins
5d117a1c79 Merge "fix redirect for admin user password relogin" 2015-01-06 16:16:46 +00:00
Yash Bathia
0dc91bed5c Creating a new user with an existing user name
Change error message when we create a new user
with an existing user name.

Change-Id: I795c04672a3c625be074c8af78eb169436ac3895
Closes-Bug: #1404432
2014-12-19 22:54:49 -08:00
Vlad Okhrimenko
95db4eb709 Renaming a user name with an existing user name
Change error message when we try rename user
name with an existing user name.

Change-Id: I2dbf9fee3c682a70c77544a8dd6b925311a3f019
Closes-Bug: #1389132
2014-11-24 11:53:04 +02:00
Justin Pomeroy
45ae78ce85 Honor keystone policy file when creating client
When creating the keystone client for an admin the user is checked
for the specific role of "admin" to determine if they are authorized
to use the admin URL. This patch changes this logic so that the
policy file is honored instead of a specific role.

Closes-Bug: #1336418
Change-Id: I600334dff17a5564f97cbcce67ff6d3619142961
2014-11-06 07:37:14 -06:00
Akihiro Motoki
47f1d49690 Do not log keystone token
Previously token values are logged as DEBUG level when a new client
object is instantiated. In other project and clients, token values
are now not logged and is output as *REDACTED* instead.
In Horizon these log lines do not have much meaning and
we can simply remove them.

Change-Id: I67617ac6424907574d79ec2a57b513a548e220d2
Closes-Bug: #1380642
2014-10-17 16:10:41 +09:00
Akihiro Motoki
832a741c88 Fix E128 errors in remaining openstack_dashboard/
E128 continuation line under-indented for visual indent

Closes-Bug: #1375929
Change-Id: I2a72313d359bdfe2e2667eba5d3bf9744ec8f60a
2014-10-16 16:53:52 +09:00
Rodrigo Duarte Sousa
4a155e1b2b Improve list groups roles performance
Uses GET v3/role_assignments?scope.project.id=<project_id>
to fetch groups roles in a given project, instead of doing
an individual call for every known group.

Closes-Bug: 1369137
Change-Id: Ie64dfddc0d8cbb4f22f3ee3b19c248ca6973e96c
2014-10-13 22:58:00 -03:00
Cindy Lu
59d4256bb1 fix redirect for admin user password relogin
Login as Admin, go to Identity > Users, change the Admin user's
password, you will automatically be logged out.  After logging in
again, you land on the 'Update User' panel. I expect to go to the
System Overview panel (like when I change the user's password
from Settings).

Change-Id: If80c46e3ac1b93e6da19e7d1b337a7089921c9d0
Closes-Bug: #1351511
2014-10-01 18:20:29 -07:00