Cannot update Identity Roles in Rocky

Queens screenshot

Rocky screenshot

Corey, could you please confirm that it's reproducible on upstream horizon?

I cannot reproduce this either.

Note that I only this once but at that time I forgot to run collectstatic and compress, i.e., it was my mistake.

This is possibly explained by the following comments from LP:1775227:

https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227/comments/5
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227/comments/6

"I agree that the current horizon does not support role create/delete operations by domain admin."

I did a little more digging and I'm still not sure what the problem is. I can create/delete users, groups, projects, domains, but not roles as there are no buttons.

For OPENSTACK_KEYSTONE_BACKEND in local_settings.py we have:

OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'native',
    'can_edit_user': True,
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
}

The keystone v3 policy looks fine and I'm using a cloud admin (not a domain admin, so this is not the same as bug 1775227):

     "admin_required": "role:Admin",
     "cloud_admin": "rule:admin_required and rule:domain_id:7b67d5a059154b45a5f4cb6f80310493",
     ...
     "identity:get_role": "rule:admin_required",
     "identity:list_roles": "rule:admin_required",
     "identity:create_role": "rule:cloud_admin",
     "identity:update_role": "rule:cloud_admin",
     "identity:delete_role": "rule:cloud_admin",

# openstack commands to compare vs cloud_admin policy - truncated for launchpad formatting

$ os domain list
+----------------------------------+----------------+
| ID | Name |
+----------------------------------+----------------+
| 7b67d5a059154b45a5f4cb6f80310493 | admin_domain |
+----------------------------------+----------------+

$ os user show admin
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 7b67d5a059154b45a5f4cb6f80310493 |
| email | juju@localhost |
| enabled | True |
| id | 70ffd1578204492b954792af2607bffd |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+

$ os role list
+----------------------------------+---------------+
| ID | Name |
+----------------------------------+---------------+
| 8a01a3463f584c34a5c56282a90b53a7 | Admin |
+----------------------------------+---------------+

$ os role assignment list -f json
  ...
  {
    "Role": "8a01a3463f584c34a5c56282a90b53a7",
    "User": "70ffd1578204492b954792af2607bffd",
    "Group": "",
    "Project": "",
    "Domain": "7b67d5a059154b45a5f4cb6f80310493",
    "System": "",
    "Inherited": false
  },
  ...

Static assets are collected and compressed and apache2/memcached restarted.

I've been testing with the Ubuntu package so I'll have to test this with upstream and see what is different.

Has OPENSTACK_KEYSTONE_BACKEND been added to REST_API_REQUIRED_SETTINGS?

After an upgrade from queens I did not have the "create role" option either. Adding OPENSTACK_KEYSTONE_BACKEND to REST_API_REQUIRED_SETTINGS fixed that.

Both options are properly set in /etc/openstack-dashboard/local_settings.py.dpkg-dist, but I refused the new file to keep my local changes.

The Ubuntu package installs the local_settings.py from "openstack_dashboard/local/local_settings.py.example" so I think that, as Albert noted, the package is doing the right thing.

On the other hand, charm-openstack-dashboard does not correctly setup REST_API_REQUIRED_SETTINGS for the change at Rocky: https://opendev.org/openstack/charm-openstack-dashboard/src/branch/master/templates/ocata/local_settings.py#L893

Perhaps I am dense, but this problem seems to affect me as well. I am using a brand-spanking new openstack-dashboard install out of JAAS.ai, and I cannot add roles using the admin user account provisioned during "juju deploy".

I only following instructions for LDAP authentication for a new charmed Kubernetes install, and cannot make forward progress, because the documented setup requires that I create three roles that do not exist in an out-of-box deployment:
https://ubuntu.com/kubernetes/docs/ldap

If a neither users in the built-in "Admin" and "member" roles cannot create new roles, then who can? This charm seems pretty well broken as a result of this bug.

Triaged to medium; there should be a fix for the openstack-dashboard charm to setup horizon to do this, but it can be done from the CLI as a workaround.