OpenStack Dashboard (Horizon)

Changing default project doesn't grant role on that project

Bug #1011461 reported by Edward on 2012-06-11

14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Low	Lin Hua Cheng	OpenStack Dashboard (Horizon) 2012.2 "folsom"

Bug Description

Steps to reproduct this bug:
1. Login as Admin
2. Creat a new project, say "Mars"
3. Navigate to "User" view and Edit Admin user
4. Change Admin's primary project to the new project (add membership)
5. Click project panel
6. Select new project from "CURRENT PROJECTS" droplist
Now you will see the Admin panel is missing.
1. if you change the URL address to /syspanel/, you will got an error messge in Login page "Error: You are not authorized to access /syspanel/"
2. If you change project to Admin or Demo, the Admin panel will be shown again.

Revision history for this message

Edward (zhang-hare) wrote on 2012-06-11:

#2

Admin panel missing.png Edit (46.0 KiB, image/png)

Revision history for this message

Edward (zhang-hare) wrote on 2012-06-11:

#3

Cannot create and list container.png Edit (26.7 KiB, image/png)

You can't create or list container under the newly created project.

Devin Carlen (devcamcar) on 2012-06-11

Changed in horizon:
status:	New → Confirmed
importance:	Undecided → Low
milestone:	none → folsom-3

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2012-07-06:

#4

Updating the User's primary project is not assigning any tenant-role for that user.

In the scenario above, the user does not have the "admin" role when the scoped token for the new project was requested from keystone.

An option for fixing the issue is adding another dropdown ( called "Role for Primary Project") in the Edit User to allow the user to select the Role applied for the Primary Project.

Changed in horizon:
assignee:	nobody → Lin Hua Cheng (lin-hua-cheng)

Revision history for this message

Gabriel Hurley (gabriel-hurley) wrote on 2012-07-13:

#5

There are two problems here:

1. As Lin Hua said, the default tenant setting there doesn't define a role. That could be fixed relatively easily, though the way that interplays with Keystone's storage of that information would be slightly odd.

2. The other problem is that there is a bug in how Keystone handles roles when changing projects. If you have an admin role on one project and a member role on another project, if you switch from the admin project to the member project you lose the admin roleuntil you switch back to the project you're an admin on. This is due to the lack of a clear differentiation between what a project admin is and what a system admin is. These issues and more are intended to be addressed by the new policy engine work being done in the v3 keystone API.

Revision history for this message

Gabriel Hurley (gabriel-hurley) wrote on 2012-07-13:

#6

With all those comments in mind, I'm going to re-scope this ticket to only address the fact that changing the default project for a user doesn't grant any roles on that project.

summary:

- Admin panel missing under new project panel
+ Changing default project doesn't grant role on that project

Revision history for this message

Lin Hua Cheng (lin-hua-cheng) wrote on 2012-07-13:

#7

Okay. So the proposed fix is to just add a dropdown to allow the user to pick the role associated with the default tenant settings right?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-22: Fix proposed to horizon (master)

#8

Fix proposed to branch: master
Review: https://review.openstack.org/10105

Changed in horizon:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-08-09: Fix merged to horizon (master)

#9

Reviewed: https://review.openstack.org/10105
Committed: http://github.com/openstack/horizon/commit/3c4b00cdcd5c4bf0ba61fef818754232da5edb5f
Submitter: Jenkins
Branch: master

commit 3c4b00cdcd5c4bf0ba61fef818754232da5edb5f
Author: Lin Hua Cheng <email address hidden>
Date: Sun Jul 22 09:45:51 2012 -0700

Warn user if no role assigned in default Project

Fixes Bug #1011461

    When the default project settings is updated, the
    form will show a warning if there are no roles assigned
    for the default project. This will prompt the user to
    assignd the role using Project >> Modify users.

Change-Id: I3abf3d154e3c0decd918e15f04eaef84b4aaa748

Changed in horizon:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-08-16

Changed in horizon:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in horizon:
milestone:	folsom-3 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1028316

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.