OpenStack Dashboard (Horizon)

"Create Role" and "Delete Role" buttons are missing for a domain admin user

Bug #1775227 reported by Dmitrii Shcherbakov on 2018-06-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Confirmed	Medium	Unassigned
	horizon (Ubuntu)	Triaged	Low	Unassigned

Bug Description

This bug is similar to https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224 so I am pasting the initial description without modification.

The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/

adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",

While it is possible to do CRUD on roles from CLI, e.g. adma user can create new roles in domain a, there is no visible way to do that from the dashboard for create and delete operations.

A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)

The problem does not seem to be related to oslo.policy directly (policy files seem to be correct) - just to how horizon handles domain administrators.

Trying to invoke a modal window directly via http://<horizon-address>/identity/roles/create/ does not work as it does, e.g. with users in bug 1775224.

Tags:

Revision history for this message

Dmitrii Shcherbakov (dmitriis) wrote on 2018-06-05:

domain-admin-no-role-buttons.png Edit (39.8 KiB, image/png)

Revision history for this message

James Page (james-page) wrote on 2018-07-18:

Dmitrii - is this something that's specific to the way that you're deploying Horizon, or do you think this is a more general upstream bug in Horizon?

Revision history for this message

Dmitrii Shcherbakov (dmitriis) wrote on 2018-07-18:

James,

I think this looks like a more general upstream problem. Billy pointed us to https://review.openstack.org/#/c/345186/ in the support case.

Revision history for this message

Corey Bryant (corey.bryant) wrote on 2018-10-09:

Adding upstream as this seems to be pointing to a general upstream issue.

Ivan Kolodyazhny (e0ne) on 2018-10-10

Changed in horizon:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: keystone

James Page (james-page) on 2018-11-22

Changed in horizon (Ubuntu):
status:	New → Triaged
importance:	Undecided → Critical
importance:	Critical → Low

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-11-28:

Since Queens release, the default policy file shipped with horizon is based on individual back-end projects. keystone policy.json (and keystone default policy defined as policy-in-code) defines "rule:admin_required" as the default policy for "identity:create_role" and "identity:delete_role". Thus, it is not surprising that "Create Role" and "Delete Role" buttons are missing for a domain admin.

To use the domain admin feature, you need to customize policy.json file for keystone.

What keystone policy is used for horizon (and keystone)?

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-11-28:

I agree that the current horizon does not support role create/delete operations by domain admin.

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2018-12-18:

My comment in #7 is based on role_create(). I didn't check it works with domain admin, so my comment might be wrong.
https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/keystone.py#L710-L712