This has been supported in the keystone API since version 3.6
Although not used in horizon (yet) some third party plugins may
require this.
Closes-Bug: #1729449
Change-Id: I961c1681b757134037ae767ac750afa36476d630
We still can show instance info on admin/instances page even if tenant
is deleted or we can't retrieve tenant's information.
Change-Id: Idb1a5ffbb4103cce5258657d559bf4fe784b98d6
Closes-Bug: #1712565
The current default settings of openstack_dashboard OPENSTACK_ENDPOINT_TYPE
has two default values 'publicURL' and 'internalURL' and this leads to
require both endpoints in deployments.
Having two default values for one setting is confusing. The comment in
local_settings.py says OPENSTACK_ENDPOINT_TYPE defaults to publicURL
and operators does not think internalURL is used.
I believe there is no negative side because if operators want to
deploy horizon out side of their OpenStack clouds they use publicURL
and if they want to deploy horizon behind load balancer or something
they would use internalURL as OPENSTACK_ENDPOINT_TYPE.
This also help the current devstack setup which only configures
public endpoint (interface) and Horizon does not work by default
for Identity dashboard.
Closes-Bug: #1686717
Change-Id: If5c7bbc5188f6df65661c41d777a9c7846fe9008
It is a variation of existing fix_auth_url_version() call which
returns as a second value a boolean flag indicating whether the
auth_url was fixed to point to /v3 endpoint. So we could display a
more clear message to deployers from Horizon, based on the value of
this flag. The legacy fix_auth_url_version() call is to be phased out
as soon as Horizon cease to depend on it. Also provide a release note
about removing the old function.
Change-Id: I6c6a35b1c460e22dadf39634fce1bdfa257b8c63
Depends-On: I3a04d838a707465c8c6e81e0e6e2fcf918b7b059
Since Horizon is going to be the first (or, one of the first)
OpenStack component using the new MongoDB driver, it won't be able to
retrieve traces made by other components using MongoDB driver (which
it should use because Ceilometer driver was too slow) for a
while. This means that Horizon itself is responsible for tracing the
rendering of its pages down to the layer where the flow of control
leaves Horizon domain. So, a lot of api wrappers in
openstack_dashboard.api are augmented with tracing decorator to
achieve this goal.
Co-Authored-By: Timur Sufiev <tsufiev@mirantis.com>
Implements-blueprint: openstack-profiler-at-developer-dashboard
Change-Id: Ib36692f0e9e68ed7fa0cd47919ba6581c9c8ab57
The description for the OPENSTACK_KEYSTONE_DEFAULT_DOMAIN django
variable claims it refers to the ID of the domain. However, the
authenticate method of django_openstack_auth explicitly uses the name
when it requests a token[1], and when multidomain support is enabled
the user is asked for the domain name, not ID. If the operator tries to
set this variable to the ID of any domain besides keystone's own
Default domain, login will fail with "Could not find domain: <domain
ID>" in the keystone logs. This patch forces horizon to use the
variable as a name instead of an ID and updates the comment, so that
everything using this variable is consistent with each other.
This wasn't caught before because the unit tests were only testing
against the default domain, so this patch also adds a second, enabled,
non-default mock domain to test with.
[1] http://git.openstack.org/cgit/openstack/django_openstack_auth/tree/openstack_auth/backend.py?h=2.4.1#n148
Change-Id: I4d16f831c9fc446859c9fb964b7609d5a76338fe
"openstack_dashboard.api.keystone: Unable to retrieve Domain: default"
incessant warning logging when switching Projects while being on the
Identity>Project panel.
Retrieving domain information is a Keystone admin URL operation. As a
pre-check, such operations would be Forbidden if the logon user does not
have an 'admin' role on the current project.
Since this is a common occurence, and can cause incessant warning
logging in the horizon logs, we recognize this condition and return the
user's domain information instead.
Signed-off-by: Kam Nasim <kam.nasim@windriver.com>
Closes-Bug: #1638662
Change-Id: Iadd5184a16a73da1da5a7230c89e996248f1eba7
Implements server-side filtering in Identity->Projects
Projects (Only V3 supports server filtering)
Users (Only V3 supports server filtering)
Groups
Roles
This filtering method allows a user to filter by
several fields:
- Name
- UUID
- Enabled
Cannot implement filter by email ttps://review.openstack.org/#/c/110970/
Implements blueprint: server-side-filtering
Co-Authored-By: Daniel Castellanos <luis.daniel.castellanos@intel.com>
Change-Id: I37d6afdef84593e2779d21bec0c2f55e2794ab78
This change is to support extra properties in project and user.
To show an extra property in project/user table, you can customize.
The explanation of the method to add an extra property is added
by this patch.
In addition, when you do a create or update user, you can specify a
value of extra property by setting in local_settings.py
Change-Id: Ifee491f2a55d9207fe5da70136f749e1fc4bab82
Implements: blueprint support-extra-prop-for-project-and-user
There were a few TODOs left in the domain scoped tokens code that
should have been removed. They were reminders to check on things
that had already been validated by the time the code merged.
Relates to https://review.openstack.org/#/c/148082/
Change-Id: I2b914a8eeebd801fb88d43f6c75120cc365455a0
When an exception was caught and rethrown, it should call 'raise'
without any arguments because it shows the place where an exception
occured initially instead of place where the exception re-raised.
Change-Id: I12c90ac8976f5d82291a685e6a94db07e509b35b
With Domains enabled, if you create a Project, with a user
who is an admin on that project (but not a domain admin),
the Identity > Projects panel will return a 500 error.
Change-Id: I6e3bf7ab8deb86a7f051e3600a6e99ce36a4fe9f
Closes-bug: #1587951
In this patch the URLs that are coming from service catalog are fixed
to contain the proper version.
Update requirements.txt in the same commit, because otherwise
integration tests won't pass for OpenStack Proposal Bot commit which
should update DOA version.
Closes-Bug: #1585682
Depends-On: Iea9b8e8378e6c5fb4c60df0073968d8caf7fbc5e
Change-Id: Icebfc291ec2b06ed84934c75cfd8c9d91cb2a895
Warning messages in horizon and keystone logs regarding the 'Federated' domain
indicate that a call to get_domain is failing.
This fix will allow horizon to not attempt calls to retrieve domains
that do not exists. The 'Federated' domain is a virtual domain that has
no record in the keystone database.
Change-Id: Ic3225815d12472d37c4105b656c5bc75b529c359
Closes-Bug: #1557791
This patch supports using domain scoped tokens against keystone v3.
Use Cases:
Cloud Admin - view and manage identity resources across domains
Domain Admin - view and manage identity resources in the domain logged in
User - view identity project in the domain logged in
Regression:
Supports keystone v2 through local_settings.py configuration
Supports keystone v3 with multidomain = False
Supports keystone v3 with mulitdomain = True
Relates to https://review.openstack.org/#/c/141153/
Background on how to test is here
https://wiki.openstack.org/wiki/Horizon/DomainWorkFlow
Co-Authored-By: Brad Pokorny <Brad_Pokorny@symantec.com>
Co-Authored-By: Brian Tully <brian.tully@hp.com>
Co-Authored-By: Michael Hagedorn <mike.hagedorn@hp.com>
Co-Authored-By: woomatt <matt.wood@hp.com>
Partially Implements: blueprint domain-scoped-tokens
Closes-Bug: #1413851
Change-Id: Iaa19bfef9b0c70304ff81d083c62b218b2d02479
At the moment, we can view the credentials of ec2 in Horizon.
But we can not delete or update it.
When information of access key and secret key were leaked out,
it would be nice if we can regenerate a credentials via not only
CLI but also Horizon.
Thus we need to provide a function user can change ec2
credentials when user want to do it.
Change-Id: Ibaebad73eb9a869564bd7d52e2f6b69a503a60c3
Closes-Bug: #1519764
Add the protocol tab under the Identity Provider detail
panel, this allows the user to manage the protocol on
the context of the Identity Provider,
Change-Id: I0e232b174382b1bc325e04cc343ae4d50e0cfed1
Implements: blueprint keystone-federation-protocol-mapping
When we update the user info from pencil icon in User List,
data doesn't have 'project' attribute.
Therefore, date.pop('project') failed and exception occur.
The v2 API updates user model and default project separately.
And in User List, operator don't need to consider if a user
have a default tenant.
So we should check if data has a 'project' attribute and
if data has no 'project' attribute, it will update only user info.
Change-Id: I979bedeb8ddb15d3f7f171660ec9df4875edb53a
Closes-Bug: #1523343
Display the identity provider panel when the setting
OPENSTACK_KEYSTONE_FEDERATION_MANAGEMENT is set to True.
Change-Id: Iadf92eb7542013f9c212eccfa372c6335a319841
Implements: blueprint keystone-federation-idp
Put the @six.python_2_unicode_compatible decorator on classes defining a
__unicode__() method to support Python 3, and rename __unicode__() to
__str__().
Partial-Implements: blueprint porting-python3
Change-Id: I0be33e1a777c98e02140ef9eafaf0c1068a7f408
Currently, 1) if try to create an existing user from the dashboard.
it will throw error "user name <name> is already used."
===> This means the issue for users is fixed.
2) if if try to create an existing project from the dashboard.
it will throw error "Unable to create project <name>"
===> I fixed this message to "project <name> is already used."
which is the same as user, when try to create an existing project from the dashboard
Change-Id: I2dc7b8e6b43f2ef8bbeed37df9710f63a63f3a0e
Closes-Bug: #1155008
In keystone v3, the parameter to create user for the the default project
has changed from project to default_project and is no longer honored and
throws an exception. Also passing in '' rather than None causes keystone
issues, so moving to None.
Closes-Bug: #1478143
Change-Id: I73423433a42bf46769065a269a3c35f27175f185
In the user table, description column is missing when using keystone V3
This patch add the 'Description'column in User table. This also
change to add 'Description' field the user_create and user_update form.
Change-Id: I90bb7a644f8f29ae0055c6c2ffc688a9b709f300
Closes-Bug: #1463247
Instead of hitting the backend api, the user's projects
can be fetched from request.user.
Change-Id: I9cbdeded40d4cc4f54ff0c52f5fd8ea7280ef7cf
Closes-Bug: #1439338
Add a new setting to enable a new textbox field on the Change
Password form that will double check the logged-in Admin
user's password.
For example if the logged-in admin leaves an unattended computer,
someone can change the password of the logged in user successfully.
Co-Authored-By: Steve Martinelli <stevemar@ca.ibm.com>
Change-Id: Icafa8ce8ab30ec43d3f6419a77118a634a163870
Closes-Bug: #1387372
Add the filter functionality that Keystone supports.
Used by Randy's Magic Search patch:
https://review.openstack.org/#/c/151386/.
Also refactor out parse_filters_kwargs method which is used
by several rest api.
Co-Authored-By: Justin Pomeroy <jpomero@linux.vnet.ibm.com>
Change-Id: Ib65395eae345e1368fbb45f6b4ce3cbb9595d61b
Partially-Implements: blueprint filtered-client-side-table
Based on inline TODO comment.
Code refactor.
Fix unused test case (was not used as helper method and
was not prefixed with 'test_' so it was not used).
Change-Id: Ie696970b4b61d699cc4afa5174248df6c00c688d
Closes-Bug: #1402047
Change error message when we try rename user
name with an existing user name.
Change-Id: I2dbf9fee3c682a70c77544a8dd6b925311a3f019
Closes-Bug: #1389132
When creating the keystone client for an admin the user is checked
for the specific role of "admin" to determine if they are authorized
to use the admin URL. This patch changes this logic so that the
policy file is honored instead of a specific role.
Closes-Bug: #1336418
Change-Id: I600334dff17a5564f97cbcce67ff6d3619142961
Previously token values are logged as DEBUG level when a new client
object is instantiated. In other project and clients, token values
are now not logged and is output as *REDACTED* instead.
In Horizon these log lines do not have much meaning and
we can simply remove them.
Change-Id: I67617ac6424907574d79ec2a57b513a548e220d2
Closes-Bug: #1380642
Uses GET v3/role_assignments?scope.project.id=<project_id>
to fetch groups roles in a given project, instead of doing
an individual call for every known group.
Closes-Bug: 1369137
Change-Id: Ie64dfddc0d8cbb4f22f3ee3b19c248ca6973e96c
Login as Admin, go to Identity > Users, change the Admin user's
password, you will automatically be logged out. After logging in
again, you land on the 'Update User' panel. I expect to go to the
System Overview panel (like when I change the user's password
from Settings).
Change-Id: If80c46e3ac1b93e6da19e7d1b337a7089921c9d0
Closes-Bug: #1351511