cloud_admin in non-default domain cannot see other domains

Bug #1648339 reported by Marcus Furlong on 2016-12-08
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Unassigned

Bug Description

When the cloud admin is in a domain that is not domain "Default", then the cloud admin user loses the ability to see other domains in the Domains tab. The tab appears, yet only one domain is shown, the users domain.

When a domain is created in horizon, it gets created successfully, but does not show up in the list of domains, still only one domain is shown.

This only happens with horizon. On the command line, all created domains appear when doing "openstack domain list", including those created in horizon.

As a result, the cloud admin cannot set the domain context on other domains in horizon and all admin tasks for the non-admin domains must be completed via the command line.

When the cloud admin is in the "Default" domain, everything works correctly.

tags: added: domains
Marcus Furlong (furlongm) wrote :

This occurs on Newton using the stable/newton policy.v3cloudsample.json file here:

https://github.com/openstack/keystone/blob/stable/newton/etc/policy.v3cloudsample.json

The only change (apart from the admin_domain_id), is to remove "token.is_admin_project:True" as per bug #1547684

Pas (pasthelod) wrote :

This seems to be fixed on horizon master (f716d559ad12cf94a8e7649514ecd5123f8b2762) with this policy https://clbin.com/rhMlD (obviously the cloud admin domain needs adjustment).

Rob Cresswell (robcresswell) wrote :

Fixed on master. Propose a backport if needed, please.

Changed in horizon:
status: New → Invalid
Andrea Ieri (aieri) wrote :

I believe this is still happening in Queens.

Policy excerpt:

    "admin_required": "role:Admin",
    "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:47bc2e4f09714715a1e92a5e8c259712 or project_id:b3bbe9c2da0147be96e692243a05e384)",
    "identity:list_domains": "rule:cloud_admin",

The domain tab content is restored only after the following:

(openstack) role add --user admin --project admin --project-domain default Admin
(openstack) role assignment list --user admin --names
+--------+--------------------+-------+--------------------+--------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+--------+--------------------+-------+--------------------+--------------+-----------+
| Admin | admin@admin_domain | | admin@default | | False |
| Admin | admin@admin_domain | | admin@admin_domain | | False |
| Member | admin@admin_domain | | admin@admin_domain | | False |
| Admin | admin@admin_domain | | | admin_domain | False |
+--------+--------------------+-------+--------------------+--------------+-----------+

Domain "admin_domain" has id 47bc2e4f09714715a1e92a5e8c259712.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers