"Create User" and "Delete User" buttons are missing for a domain admin user

Attached the screenshot showing that it is possible to invoke that modal window directly.

Attached a screenshot showing that "add" and "delete" buttons are present in the special admin project scope.

I've taken a good look at this issue today. I'm not convinced its an issue with Horizon itself, rather with the policy.json file that's being configured by the deployment itself.

In order to display the Create User button, the user needs to be able to qualify for the following policies:

- create_grant
- create_user
- list_roles
- list_projects

From the policy file provided in the deployment the list_roles, list_projects, and create_user policies easily passed because they simply require that the user is a domain scoped admin or cloud admin.

This leaves the create_grant rule as being problematic. The create_grant rule is fairly complex in that it requires that the user in this case be one of:
- cloud admin
- an admin in the domain that the user is being created in AND that the target's role is in the same domain
- an admin in the project that the user is being created in AND that the target's role is in the same project

The problem with this particular rule is that the target of the policy as it is evaluated as an empty dictionary (due to the target for the table not being defined). The current user information is eventually filled in as part of the evaluation (tenant_id, user_id, domain_id).

Now, it may be that the create_grant policy is intentionally required in order to display the Create User button (I need to check the history on it). However, the policy.json file that's written for the charm is essentially the same policy.json file used for keystone, which in turn requires that the target.role.domain_id is the same. That may not make sense due to the context targets that are referenced when evaluating the policies (as keystone and horizon are not guaranteed to provide the same context in all places).

I see viable work around options as follows:
- Update the keystonev3_policy.json file in the deployment to have a more appropriate set of rules
- Use the cli to manage users

Note: the following policy works well for the grant oriented policies. Not only is it easier to read and understand imo, but it removes the role bits that are included. This comes from the provided grants in the in the horizon openstack_auth django plugin test policies - https://github.com/openstack/horizon/blob/stable/queens/openstack_auth/tests/conf/policy.v3cloudsample.json#L85:

"domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

Fix proposed to branch: master
Review: https://review.openstack.org/574138

Reviewed: https://review.openstack.org/574138
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e10f120a1d5725ce50dbae667a1d66b1100839b7
Submitter: Zuul
Branch: master

commit e10f120a1d5725ce50dbae667a1d66b1100839b7
Author: Billy Olsen <email address hidden>
Date: Sun Jun 10 23:00:02 2018 -0700

    Update keystonev3_policy.json to enable UI buttons

    The horizon interface enables/displays actions based on the
    keystonev3_policy.json file provided. The keystonev3_policy.json file
    included by the charm has rules for various actions that depend on the
    target object's domain id (user, group, project). The buttons displayed
    for creating and deleting the objects (shown above the tables) are also
    based on these policy rules but no target object exists because they are
    bound to the table and not a specific target object.

    This patch changes some of the policy rules to create/delete users,
    projects, and groups to not require the target object's domain_id. This
    is safe to do because the table is shown within the context of the
    target domain_id already. Additionally, the actual ability to alter
    objects is controlled by the actual policy installed in Keystone and not
    the Horizon UI.

    Without this change, actions such as "Create User" will only show for
    a user who is a cloud admin and not for any domain admins (even if the
    domain admin is allowed to perform the action via the API or CLI).

    Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
    Closes-Bug: #1775224
    Closes-Bug: #1775229

Fix proposed to branch: stable/18.05
Review: https://review.openstack.org/575272

Change abandoned by Felipe Reyes (<email address hidden>) on branch: stable/18.05
Review: https://review.openstack.org/575272