OpenStack-Ansible

Add OPENSTACK_KEYSTONE_ADMIN_ROLES to horizon_local_settings.py.j2 Template

Bug #1614213 reported by Sean Carlisle on 2016-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Undecided	Nolan Brubaker

Bug Description

At present, the horizon_local_settings.py.j2 template file does not have the OPENSTACK_KEYSTONE_ADMIN_ROLES option present and thusly it is not configurable. This option is necessary when an environment has more than one administrative role (such as admin and cloud-admin) due to RBAC policy overrides. While the option doesn't exist in the default file provided by the source, documentation exists for this option: https://github.com/openstack/horizon/blob/eaa194e4978e60ea713a73775a58f0188cfc5b59/doc/source/topics/settings.rst#openstack_keystone_admin_roles

Tags:

Revision history for this message

Corey Wright (coreywright) wrote on 2016-08-17:

os_horizon-Add_variable_override_for_OPENSTACK_KEYSTONE_ADMIN_ROLES.patch Edit (1.4 KiB, text/plain)

Revision history for this message

Travis Truman (travis-truman) wrote on 2016-08-17:

Sean you should be able to make use a recent feature introduced in the os_horizon role with this commit: https://github.com/openstack/openstack-ansible-os_horizon/commit/39839111c0f84fe18a75019ec4a677be47c59674

Can you test using horizon_config_overrides and let us know how it works out?

Revision history for this message

Sean Carlisle (sean-carlisle) wrote on 2016-08-17:

Hey Travis,

My apologies for not specifying the version I am using. At present I am using stable/mitaka. How difficult would it be to backport this to Mitaka?

Thanks!

Sean

Revision history for this message

Corey Wright (coreywright) wrote on 2016-08-17:

@Sean

The commit Travis references is in stable/mitaka. You can see the parts of that commit in my patch's context.

@Travis

The documentation that Sean referenced delineates between "Horizon Settings" (which "All of [its variables] are contained in the HORIZON_CONFIG dictionary.") and "OpenStack Settings" (which "Most of the following settings [including OPENSTACK_KEYSTONE_ADMIN_ROLES] are defined in openstack_dashboard/local/local_settings.py").

Revision history for this message

Nolan Brubaker (nolan-brubaker) wrote on 2016-08-17:

The config_template plugin works for ini, json, and yaml file types. Horizon is using the Django convention of Python files for configuration, which config_template doesn't currently write, so it appears to me that the short term fix would be adding the variable to the template, as Corey's patch does.

Whether config_template gains the ability to write 'simple' Python files is likely another issue.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-17: Fix proposed to openstack-ansible-os_horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/356727

Changed in openstack-ansible:
assignee:	nobody → Nolan Brubaker (nolan-brubaker)
status:	New → In Progress

Revision history for this message

Corey Wright (coreywright) wrote on 2016-08-17:

@Sean,

My apologies as I realize that in not being detailed I was wrong in what I literally said.

The commit Travis references is technically in master. In stable/mitaka there's a cherry-pick: commit 3424d4cd.

My patch is technically against master, but applies to stable/mitaka (ie can be easily cherry-picked).

Again, I apologize for the literal misinformation.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-19: Fix merged to openstack-ansible-os_horizon (master)

Reviewed: https://review.openstack.org/356727
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_horizon/commit/?id=c7ebd28341d852213a0f446c6c333033bfb9f362
Submitter: Jenkins
Branch: master

commit c7ebd28341d852213a0f446c6c333033bfb9f362
Author: Nolan Brubaker <email address hidden>
Date: Wed Aug 17 17:05:11 2016 -0400

Add variable override for OPENSTACK_KEYSTONE_ADMIN_ROLES

    As Horizon treats admins differently and can't discern what roles are
    administrative in nature, we have to tell it if there are roles
    beyond/besides "admin".

    If not overriden by the user, then the default is `['admin']` as seen
    in the code:
    https://github.com/openstack/horizon/blob/stable/mitaka/openstack_dashboard/utils/identity.py#L20-L25.

Closes-Bug: #1614213

Change-Id: I5e475db52be7d6390a1ab29a08b58fc102e16037
Co-Author: Corey Wright <email address hidden>

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-22: Fix proposed to openstack-ansible-os_horizon (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/358805

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-22: Fix merged to openstack-ansible-os_horizon (stable/mitaka)

#10

Reviewed: https://review.openstack.org/358805
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_horizon/commit/?id=76c0c81b1a3701c57cb552a04da9bb1c01b0b4aa
Submitter: Jenkins
Branch: stable/mitaka

commit 76c0c81b1a3701c57cb552a04da9bb1c01b0b4aa
Author: Nolan Brubaker <email address hidden>
Date: Wed Aug 17 17:05:11 2016 -0400

Add variable override for OPENSTACK_KEYSTONE_ADMIN_ROLES

    As Horizon treats admins differently and can't discern what roles are
    administrative in nature, we have to tell it if there are roles
    beyond/besides "admin".

    If not overriden by the user, then the default is `['admin']` as seen
    in the code:
    https://github.com/openstack/horizon/blob/stable/mitaka/openstack_dashboard/utils/identity.py#L20-L25.

Closes-Bug: #1614213

    Change-Id: I5e475db52be7d6390a1ab29a08b58fc102e16037
    Co-Author: Corey Wright <email address hidden>
    (cherry picked from commit c7ebd28341d852213a0f446c6c333033bfb9f362)