"Delete Groups" button is missing for a domain admin user

For comparison, admin project scope buttons are attached.

Marking as invalid against Ubuntu horizon as its an issue with the policy file in use and not the project itself.

The problem is due to the openstack-dashboard charm's keystonev3_policy.json file which requires that the target.group.domain_id matches the current admin's id. The "Delete Groups" button depends on the delete_groups policy but the policy depends on the target.group.domain_id in order to be valid. The "Delete Groups" button does not have a group context associated when it is rendered and thus does not pass the policy.

This is fixed by simply removing the target.group.domain_id from the policy file as the group is only shown in the proper domain context. It's also safe to do as the final ability to remove the group is held within keystone policy configuration itself, which will does have the proper target check because it is supplied as part of a delete api call.

Fix proposed to branch: master
Review: https://review.openstack.org/574138

Reviewed: https://review.openstack.org/574138
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e10f120a1d5725ce50dbae667a1d66b1100839b7
Submitter: Zuul
Branch: master

commit e10f120a1d5725ce50dbae667a1d66b1100839b7
Author: Billy Olsen <email address hidden>
Date: Sun Jun 10 23:00:02 2018 -0700

    Update keystonev3_policy.json to enable UI buttons

    The horizon interface enables/displays actions based on the
    keystonev3_policy.json file provided. The keystonev3_policy.json file
    included by the charm has rules for various actions that depend on the
    target object's domain id (user, group, project). The buttons displayed
    for creating and deleting the objects (shown above the tables) are also
    based on these policy rules but no target object exists because they are
    bound to the table and not a specific target object.

    This patch changes some of the policy rules to create/delete users,
    projects, and groups to not require the target object's domain_id. This
    is safe to do because the table is shown within the context of the
    target domain_id already. Additionally, the actual ability to alter
    objects is controlled by the actual policy installed in Keystone and not
    the Horizon UI.

    Without this change, actions such as "Create User" will only show for
    a user who is a cloud admin and not for any domain admins (even if the
    domain admin is allowed to perform the action via the API or CLI).

    Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
    Closes-Bug: #1775224
    Closes-Bug: #1775229

Fix proposed to branch: stable/18.05
Review: https://review.openstack.org/575272

Change abandoned by Felipe Reyes (<email address hidden>) on branch: stable/18.05
Review: https://review.openstack.org/575272