inconsistent functionality on dashboard vs command line

xenial-queens

With ldap integration on Openstack, I wanted to have a ldap user to have cloud_admin access by following the policy on keystone.

 "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{ admin_domain_id }} or project_id:{{ service_tenant_id }})",

On the command line as admin user in admin_domain, I was able to run the following command to add a ldap user to admin project.
  # openstack role add --project admin --project-domain admin_domain --user johndoe --user-domain aaa_domain Admin

However, on the dashboard this operation is not possible. It seems that after login to horizon dashboard the operations is only allowed within one domain context.

After adding the ldap user to the admin project and get a token, on the dashboard when login as the ldap user I was able to see the domain tab with only aaa_domain. However, when login as an admin user in admin_domain the domain tab shows all the domains (including aaa_domain) and I am able to switch domain from the dashboard.

This may be due to the differences in the policy file in keystone and the dashboard, please see the links below.

https://github.com/openstack/charm-keystone/blob/master/templates/queens/policy.json#L3

https://github.com/openstack/charm-openstack-dashboard/blob/master/templates/mitaka/keystonev3_policy.json#L3