OpenStack Dashboard (Horizon)

cloud_admin in non-default domain cannot see other domains

Bug #1648339 reported by Marcus Furlong
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Invalid
Undecided
Unassigned

Bug Description

When the cloud admin is in a domain that is not domain "Default", then the cloud admin user loses the ability to see other domains in the Domains tab. The tab appears, yet only one domain is shown, the users domain.

When a domain is created in horizon, it gets created successfully, but does not show up in the list of domains, still only one domain is shown.

This only happens with horizon. On the command line, all created domains appear when doing "openstack domain list", including those created in horizon.

As a result, the cloud admin cannot set the domain context on other domains in horizon and all admin tasks for the non-admin domains must be completed via the command line.

When the cloud admin is in the "Default" domain, everything works correctly.

Tags: domains
Marcus Furlong (furlongm)
tags: added: domains
Revision history for this message
Marcus Furlong (furlongm) wrote :

This occurs on Newton using the stable/newton policy.v3cloudsample.json file here:

https://github.com/openstack/keystone/blob/stable/newton/etc/policy.v3cloudsample.json

The only change (apart from the admin_domain_id), is to remove "token.is_admin_project:True" as per bug #1547684

Revision history for this message
Pas (pasthelod) wrote :

This seems to be fixed on horizon master (f716d559ad12cf94a8e7649514ecd5123f8b2762) with this policy https://clbin.com/rhMlD (obviously the cloud admin domain needs adjustment).

Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Fixed on master. Propose a backport if needed, please.

Changed in horizon:
status: New → Invalid
Revision history for this message
Andrea Ieri (aieri) wrote :

I believe this is still happening in Queens.

Policy excerpt:

    "admin_required": "role:Admin",
    "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:47bc2e4f09714715a1e92a5e8c259712 or project_id:b3bbe9c2da0147be96e692243a05e384)",
    "identity:list_domains": "rule:cloud_admin",

The domain tab content is restored only after the following:

(openstack) role add --user admin --project admin --project-domain default Admin
(openstack) role assignment list --user admin --names
+--------+--------------------+-------+--------------------+--------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
 +--------+--------------------+-------+--------------------+--------------+-----------+
| Admin | admin@admin_domain | | admin@default | | False |
| Admin | admin@admin_domain | | admin@admin_domain | | False |
| Member | admin@admin_domain | | admin@admin_domain | | False |
| Admin | admin@admin_domain | | | admin_domain | False |
 +--------+--------------------+-------+--------------------+--------------+-----------+

Domain "admin_domain" has id 47bc2e4f09714715a1e92a5e8c259712.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.