Horizon doesn't have equivalent of is_admin_project:True in policy.json from keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
I recently found that when trying to create a second openstack cloud administrator user, that keystone and horizon consider "cloud_admin" rules slightly differently. If you have keystone.conf set to:
admin_project_
admin_project_name = admin
The two policy.json lines below allows for Admin role in admin project of admin_domain to have full cloud_admin privileges throughout keystone.
"cloud_admin": "rule:admin_
"admin_
The issue is that when you login to horizon as a new user who is Admin role in admin_domain/admin project, you don't get presented with the Identity->Domains part of the dashboard, and if you try to reach URL/identity/
I believe the real issue is that the "is_admin_
In openstack-
"admin_
"cloud_admin": "rule:admin_
I'd suggest that this should be extended to be the following:
"rule:
Sadly, in horizon, the natural admin user cannot grant Role Assignments to domains, only projects, so this becomes something that can only be worked around on the CLI with:
ROLE=
openstack role add \
--user mynewcloudadmin \
--domain admin_domain \
${ROLE}
Changed in charm-openstack-dashboard: | |
milestone: | 19.04 → 19.07 |
Changed in charm-openstack-dashboard: | |
milestone: | 19.07 → 19.10 |
Changed in charm-openstack-dashboard: | |
milestone: | 19.10 → 20.01 |
Changed in charm-openstack-dashboard: | |
milestone: | 20.01 → 20.05 |
Changed in charm-openstack-dashboard: | |
assignee: | James Page (james-page) → nobody |
status: | In Progress → Triaged |
Changed in charm-openstack-dashboard: | |
milestone: | 20.05 → 20.08 |
Changed in charm-openstack-dashboard: | |
milestone: | 20.08 → none |
I've push what I think is an appropriate fix to:
cs:~james- page/openstack- dashboard- 5
Its not exactly inline with your suggestions but it is aligned to equivs in keystone (excluding our service project hack for service accounts).