OpenStack Dashboard (Horizon)

Domain role hidden by project role

Bug #1571875 reported by Thai Tran
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Brad Pokorny
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned

Bug Description

Follow the steps below to see the problem.

1. From the CLI, create a user and assign admin role to the default domain but assign no projects. Log into horizon, you will see the admin dashboard available to you.

2. From the CLI, assign the user to the demo project and give the user the _member_ role. Log into horizon, you will no longer see the admin dashboard.

Horizon automatically detects the projects you are assigned to and scope you to that project instantly. There needs to be a way to unscope the project so you can do admin related things. I think we need an option to uncheck the project so that you can log in under the domain role.

Tags: keystone doa
Revision history for this message
Steve Martinelli (stevemar) wrote :

See IRC logs here: http://eavesdrop.openstack.org/irclogs/%23openstack-horizon/%23openstack-horizon.2016-04-18.log.html#t2016-04-18T22:40:10

Revision history for this message
Steve Martinelli (stevemar) wrote :

Related bug 1547684 and bug 1459884

Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Isn't the error here actually Step 1, not 2? The Admin dashboard shouldn't show up for a Domain admin, I thought, just the Identity dash. So really, step 2 is the correct behaviour, and step 1 is showing the admin dash when it shouldnt do. My understanding of keystones model may be off though.

Brad Pokorny (bpokorny)
Changed in horizon:
assignee: nobody → Brad Pokorny (bpokorny)
Revision history for this message
Brad Pokorny (bpokorny) wrote :

Yeah, the admin dashboard shouldn't show up for Domain admin. I think that will go away once the v3 sample policy file from stable/liberty keystone is used.

Thai, can you confirm?

Some more details on using domain support here, in case this is helpful: http://www.symantec.com/connect/blogs/domain-support-horizon-here

But I think there may still be an issue with roles getting hidden in some cases. I'll see if I can reproduce in a cloud_admin scenario, where the admin dashboard should show up.

Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Is this bug report still valid? Discussion seems to have stalled.

Brad Pokorny (bpokorny)
Changed in horizon:
status: New → Confirmed
Revision history for this message
Brad Pokorny (bpokorny) wrote :

I was able to reproduce this behavior with devstack on the master branch.

If the user has a role on the domain, we shouldn't allow a lesser role they have on a project to hide Dashboards in Horizon. I think the fix for this is to make the Horizon policy checks smarter about roles on Domains vs. roles on Projects.

I'll look into this.

Revision history for this message
Brad Pokorny (bpokorny) wrote :

After looking back into the code, I remembered why we made it work this way. The Admin dashboard is for users who can perform admin operations across services. Only Keystone understands domains, so for a user to have access to all things the Admin dashboard lets them do, the user needs to be a cloud admin from a Keystone perspective *and* have the admin role on the project they're scoped to. So if both of those conditions aren't met, we hide the admin dashboard.

To give people a fighting chance at figuring this out, I added a new "Cloud Admin Confusion" section to my blog post (might take a few hours to reflect the update publicly):

https://www-secure.symantec.com/connect/blogs/domain-support-horizon-here

In summary, yes, this is confusing, but we had to do it this way because.. OpenStack.

I'll invalidate this bug, but let me know if there are any questions.

Changed in keystone:
status: New → Invalid
Changed in horizon:
status: Confirmed → Invalid
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Thanks for the follow up Brad!

Changed in horizon:
milestone: newton-1 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.