OpenStack Dashboard Charm

Horizon doesn't have equivalent of is_admin_project:True in policy.json from keystone

Bug #1800226 reported by Drew Freiberger
32
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Triaged
Medium
Unassigned

Bug Description

I recently found that when trying to create a second openstack cloud administrator user, that keystone and horizon consider "cloud_admin" rules slightly differently. If you have keystone.conf set to:

admin_project_domain_name = admin_domain
admin_project_name = admin

The two policy.json lines below allows for Admin role in admin project of admin_domain to have full cloud_admin privileges throughout keystone.

    "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:{{admin_domain_project_id}} or project_id:{{service_project_id}})",
    "admin_required": "role:Admin",

The issue is that when you login to horizon as a new user who is Admin role in admin_domain/admin project, you don't get presented with the Identity->Domains part of the dashboard, and if you try to reach URL/identity/domains/ you get a permission error. To resolve this, one must add the Admin role to the admin_domain project rather than the admin_domain/admin project for that user to be able to work as cloud_admin in horizon.

I believe the real issue is that the "is_admin_project:True" rule is only built into keystone, and none of the relations to keystone get handed the project ID for the admin_domain/admin project.

In openstack-dashboard, the equivalent config is:

    "admin_required": "role:Admin",
    "cloud_admin": "rule:admin_required and domain_id:{{admin_domain_project_id}}",

I'd suggest that this should be extended to be the following:

    "rule:admin_required and (domain_id:{{admin_domain_project_id}} or project_id:{{admin_domain_admin_project_id}})",

Sadly, in horizon, the natural admin user cannot grant Role Assignments to domains, only projects, so this becomes something that can only be worked around on the CLI with:

      ROLE=$(openstack role list -f csv|grep ',"Admin"'|cut -d, -f1)
      openstack role add \
        --user mynewcloudadmin \
        --domain admin_domain \
        --user-domain admin_domain \
        --role-domain admin_domain \
        ${ROLE}

Revision history for this message
James Page (james-page) wrote :

I've push what I think is an appropriate fix to:

  cs:~james-page/openstack-dashboard-5

Its not exactly inline with your suggestions but it is aligned to equivs in keystone (excluding our service project hack for service accounts).

Changed in charm-openstack-dashboard:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → James Page (james-page)
status: Triaged → In Progress
milestone: none → 19.04
David Ames (thedac)
Changed in charm-openstack-dashboard:
milestone: 19.04 → 19.07
David Ames (thedac)
Changed in charm-openstack-dashboard:
milestone: 19.07 → 19.10
David Ames (thedac)
Changed in charm-openstack-dashboard:
milestone: 19.10 → 20.01
James Page (james-page)
Changed in charm-openstack-dashboard:
milestone: 20.01 → 20.05
James Page (james-page)
Changed in charm-openstack-dashboard:
assignee: James Page (james-page) → nobody
status: In Progress → Triaged
David Ames (thedac)
Changed in charm-openstack-dashboard:
milestone: 20.05 → 20.08
James Page (james-page)
Changed in charm-openstack-dashboard:
milestone: 20.08 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.