Users from other domains which should be matched by cloud_admin rule cannot list domains or switch domain context
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned |
Bug Description
On Yoga, the out-of-the-box 'admin' user can list all domains and switch context into other domains using Horizon.
As I understand it, the default Keystone policy file allows this by way of the cloud_admin rule defined as follows:
"admin_required": "role:Admin",
"cloud_admin": "rule:admin_
With the admin_project_name and admin_project_
If I create a new domain 'newdomain' and inside that domain a new user 'newdomainuser' and then assign the newdomainuser the 'admin' role on either or both the admin project or admin domain then when I sign into Horizon with 'newdomainuser' I can only see 'newdomain' in Identity -> Domains and I cannot switch context to other domains.
If I configure an rc file for 'newdomainuser' with OS_PROJECT_
How can we allow users in domains other than the out-of-the-box 'admin_domain' get full 'cloud_admin' functionality in Horizon?