OpenStack Dashboard (Horizon)

admin dashboard enforces single role which does not always make sense

Bug #1226627 reported by Eric Peterson
This bug report is a duplicate of:  Bug #1161144: admin role must be called "admin". Edit Remove
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Medium
Unassigned

Bug Description

The admin dashboard enforces a single role / permission that looks like:

    permissions = ('openstack.roles.admin',)

https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/admin/dashboard.py#L40

The admin dashboard might be accessed by someone that is a network admin, a compute admin etc. It seems like the individual panels permissions should suffice and they should help decide which parts of the admin dashboard show up (if any). Requiring a central role called admin to be implemented is less flexible and has some side effects.

There are several RBAC type changes going on, and this change may depend upon them being implemented first.

Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

This is entirely true and will be fixed as part of the ongoing work to tie the OpenStack Dashboard's RBAC system to the OpenStack policy systems. Keeping the ticket as a reminder to address this aspect of the issue as well.

Changed in horizon:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Thiago Paiva Brito (outbrito) wrote :

I have a proposal to solve this bug using policy rules (that add flexibility) but I'm stumped on this:

The first idea was to enforce it using the default identity rule "admin_required" but it's not the best approach. IMO, the best option will be to have a rule referencing the Horizon's resource I want to protect (on this case, a rule named "view_admin_dashboard") and, in this rule, set all the requirements to access the AdminDashboard (that can be only "rule:admin_required" or something more detailed, depending on the cloud provider), but I'm in doubt of where this rule should be defined since Horizon has not its own "policy,json".

(just to be clear, I'm a supporter of the centralization of RBAC into a single service, but I'm looking to a solution that can solve this now and be able to continue working when the policy service is ready).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by Thiago Paiva Brito (<email address hidden>) on branch: master
Review: https://review.openstack.org/99446

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.