"Create User" and "Delete User" buttons are missing for a domain admin user

Bug #1775224 reported by Dmitrii Shcherbakov on 2018-06-05
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack openstack-dashboard charm
Billy Olsen

Bug Description

The setup with xenial + Queens UCA and 18.02 charms is as follows:

adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
    "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",

While it is possible to do CRUD on users from CLI, e.g. adma user can create new users in domain a, there is no visible way to do that from the dashboard for create and delete operations ("edit" dropdowns are visible, see the screenshot).

A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see

The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.

It is possible to create users from the dashboard without using a button by directly invoking the modal window via accessing the right URL directly: http://<horizon-address>/identity/users/create/ (see the screenshot below). Filling out the form and submitting it results in a successful creation of a new domain user.

Note: for Groups only the "Create button is present" while the "Delete" button is not present.

See also:
1) the same type of bug but for roles https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227
2) "delete groups" https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775229

Dmitrii Shcherbakov (dmitriis) wrote :

Attached the screenshot showing that it is possible to invoke that modal window directly.

Dmitrii Shcherbakov (dmitriis) wrote :

Attached a screenshot showing that "add" and "delete" buttons are present in the special admin project scope.

description: updated
description: updated
Billy Olsen (billy-olsen) wrote :

I've taken a good look at this issue today. I'm not convinced its an issue with Horizon itself, rather with the policy.json file that's being configured by the deployment itself.

In order to display the Create User button, the user needs to be able to qualify for the following policies:

- create_grant
- create_user
- list_roles
- list_projects

From the policy file provided in the deployment the list_roles, list_projects, and create_user policies easily passed because they simply require that the user is a domain scoped admin or cloud admin.

This leaves the create_grant rule as being problematic. The create_grant rule is fairly complex in that it requires that the user in this case be one of:
- cloud admin
- an admin in the domain that the user is being created in AND that the target's role is in the same domain
- an admin in the project that the user is being created in AND that the target's role is in the same project

The problem with this particular rule is that the target of the policy as it is evaluated as an empty dictionary (due to the target for the table not being defined). The current user information is eventually filled in as part of the evaluation (tenant_id, user_id, domain_id).

Now, it may be that the create_grant policy is intentionally required in order to display the Create User button (I need to check the history on it). However, the policy.json file that's written for the charm is essentially the same policy.json file used for keystone, which in turn requires that the target.role.domain_id is the same. That may not make sense due to the context targets that are referenced when evaluating the policies (as keystone and horizon are not guaranteed to provide the same context in all places).

I see viable work around options as follows:
- Update the keystonev3_policy.json file in the deployment to have a more appropriate set of rules
- Use the cli to manage users

Note: the following policy works well for the grant oriented policies. Not only is it easier to read and understand imo, but it removes the role bits that are included. This comes from the provided grants in the in the horizon openstack_auth django plugin test policies - https://github.com/openstack/horizon/blob/stable/queens/openstack_auth/tests/conf/policy.v3cloudsample.json#L85:

"domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

Changed in charm-openstack-dashboard:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Billy Olsen (billy-olsen)
milestone: none → 18.11
milestone: 18.11 → 18.08
Changed in horizon (Ubuntu):
status: New → Invalid

Fix proposed to branch: master
Review: https://review.openstack.org/574138

Changed in charm-openstack-dashboard:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/574138
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e10f120a1d5725ce50dbae667a1d66b1100839b7
Submitter: Zuul
Branch: master

commit e10f120a1d5725ce50dbae667a1d66b1100839b7
Author: Billy Olsen <email address hidden>
Date: Sun Jun 10 23:00:02 2018 -0700

    Update keystonev3_policy.json to enable UI buttons

    The horizon interface enables/displays actions based on the
    keystonev3_policy.json file provided. The keystonev3_policy.json file
    included by the charm has rules for various actions that depend on the
    target object's domain id (user, group, project). The buttons displayed
    for creating and deleting the objects (shown above the tables) are also
    based on these policy rules but no target object exists because they are
    bound to the table and not a specific target object.

    This patch changes some of the policy rules to create/delete users,
    projects, and groups to not require the target object's domain_id. This
    is safe to do because the table is shown within the context of the
    target domain_id already. Additionally, the actual ability to alter
    objects is controlled by the actual policy installed in Keystone and not
    the Horizon UI.

    Without this change, actions such as "Create User" will only show for
    a user who is a cloud admin and not for any domain admins (even if the
    domain admin is allowed to perform the action via the API or CLI).

    Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
    Closes-Bug: #1775224
    Closes-Bug: #1775229

Changed in charm-openstack-dashboard:
status: In Progress → Fix Committed
David Ames (thedac) on 2018-09-06
Changed in charm-openstack-dashboard:
status: Fix Committed → Fix Released

Change abandoned by Felipe Reyes (<email address hidden>) on branch: stable/18.05
Review: https://review.openstack.org/575272

no longer affects: horizon (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers