2018-06-05 17:08:57 |
Dmitrii Shcherbakov |
bug |
|
|
added bug |
2018-06-05 17:08:57 |
Dmitrii Shcherbakov |
attachment added |
|
domain-user-no-add-user-button.png https://bugs.launchpad.net/bugs/1775224/+attachment/5149035/+files/domain-user-no-add-user-button.png |
|
2018-06-05 17:11:04 |
Dmitrii Shcherbakov |
attachment added |
|
domain-admin-user-create-hack.png https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224/+attachment/5149037/+files/domain-admin-user-create-hack.png |
|
2018-06-05 17:12:17 |
Dmitrii Shcherbakov |
attachment added |
|
admin_domain_and_project_user.png https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224/+attachment/5149038/+files/admin_domain_and_project_user.png |
|
2018-06-05 17:17:35 |
Dmitrii Shcherbakov |
description |
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can create new users in domain a, there is no visible way to do that from the dashboard for create and delete operations ("edit" dropdowns are visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.
It is possible to create users from the dashboard without using a button by directly invoking the modal window via accessing the right URL directly: http://<horizon-address>/identity/users/create/ (see the screenshot below). Filling out the form and submitting it results in a successful creation of a new domain user. |
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can create new users in domain a, there is no visible way to do that from the dashboard for create and delete operations ("edit" dropdowns are visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.
It is possible to create users from the dashboard without using a button by directly invoking the modal window via accessing the right URL directly: http://<horizon-address>/identity/users/create/ (see the screenshot below). Filling out the form and submitting it results in a successful creation of a new domain user.
Note: for Groups only the "Create button is present" while the "Delete" button is not present. |
|
2018-06-05 17:34:31 |
Dmitrii Shcherbakov |
description |
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can create new users in domain a, there is no visible way to do that from the dashboard for create and delete operations ("edit" dropdowns are visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.
It is possible to create users from the dashboard without using a button by directly invoking the modal window via accessing the right URL directly: http://<horizon-address>/identity/users/create/ (see the screenshot below). Filling out the form and submitting it results in a successful creation of a new domain user.
Note: for Groups only the "Create button is present" while the "Delete" button is not present. |
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can create new users in domain a, there is no visible way to do that from the dashboard for create and delete operations ("edit" dropdowns are visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.
It is possible to create users from the dashboard without using a button by directly invoking the modal window via accessing the right URL directly: http://<horizon-address>/identity/users/create/ (see the screenshot below). Filling out the form and submitting it results in a successful creation of a new domain user.
Note: for Groups only the "Create button is present" while the "Delete" button is not present.
See also:
1) the same type of bug but for roles https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227
2) "delete groups" https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775229 |
|
2018-06-06 07:30:22 |
Lorenzo Cavassa |
bug |
|
|
added subscriber Lorenzo Cavassa |
2018-06-06 15:25:03 |
Gwen Cooper |
bug |
|
|
added subscriber Gwen Cooper |
2018-06-08 19:34:55 |
Billy Olsen |
bug task added |
|
charm-openstack-dashboard |
|
2018-06-11 06:14:17 |
Billy Olsen |
charm-openstack-dashboard: status |
New |
Confirmed |
|
2018-06-11 06:14:22 |
Billy Olsen |
charm-openstack-dashboard: importance |
Undecided |
Medium |
|
2018-06-11 06:14:26 |
Billy Olsen |
charm-openstack-dashboard: assignee |
|
Billy Olsen (billy-olsen) |
|
2018-06-11 06:14:37 |
Billy Olsen |
charm-openstack-dashboard: milestone |
|
18.11 |
|
2018-06-11 06:14:52 |
Billy Olsen |
charm-openstack-dashboard: milestone |
18.11 |
18.08 |
|
2018-06-11 06:14:59 |
Billy Olsen |
horizon (Ubuntu): status |
New |
Invalid |
|
2018-06-11 06:16:17 |
OpenStack Infra |
charm-openstack-dashboard: status |
Confirmed |
In Progress |
|
2018-06-12 18:05:48 |
OpenStack Infra |
charm-openstack-dashboard: status |
In Progress |
Fix Committed |
|
2018-09-06 14:41:10 |
David Ames |
charm-openstack-dashboard: status |
Fix Committed |
Fix Released |
|
2019-04-01 04:43:19 |
Mathew Hodson |
bug task deleted |
horizon (Ubuntu) |
|
|