Horizon doesn't have equivalent of is_admin_project:True in policy.json from keystone

Bug #1800226 reported by Drew Freiberger on 2018-10-26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack openstack-dashboard charm
James Page

Bug Description

I recently found that when trying to create a second openstack cloud administrator user, that keystone and horizon consider "cloud_admin" rules slightly differently. If you have keystone.conf set to:

admin_project_domain_name = admin_domain
admin_project_name = admin

The two policy.json lines below allows for Admin role in admin project of admin_domain to have full cloud_admin privileges throughout keystone.

    "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{admin_domain_project_id}} or project_id:{{service_project_id}})",
    "admin_required": "role:Admin",

The issue is that when you login to horizon as a new user who is Admin role in admin_domain/admin project, you don't get presented with the Identity->Domains part of the dashboard, and if you try to reach URL/identity/domains/ you get a permission error. To resolve this, one must add the Admin role to the admin_domain project rather than the admin_domain/admin project for that user to be able to work as cloud_admin in horizon.

I believe the real issue is that the "is_admin_project:True" rule is only built into keystone, and none of the relations to keystone get handed the project ID for the admin_domain/admin project.

In openstack-dashboard, the equivalent config is:

    "admin_required": "role:Admin",
    "cloud_admin": "rule:admin_required and domain_id:{{admin_domain_project_id}}",

I'd suggest that this should be extended to be the following:

    "rule:admin_required and (domain_id:{{admin_domain_project_id}} or project_id:{{admin_domain_admin_project_id}})",

Sadly, in horizon, the natural admin user cannot grant Role Assignments to domains, only projects, so this becomes something that can only be worked around on the CLI with:

      ROLE=$(openstack role list -f csv|grep ',"Admin"'|cut -d, -f1)
      openstack role add \
        --user mynewcloudadmin \
        --domain admin_domain \
        --user-domain admin_domain \
        --role-domain admin_domain \

James Page (james-page) wrote :

I've push what I think is an appropriate fix to:


Its not exactly inline with your suggestions but it is aligned to equivs in keystone (excluding our service project hack for service accounts).

Changed in charm-openstack-dashboard:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → James Page (james-page)
status: Triaged → In Progress
milestone: none → 19.04
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers