"Delete Groups" button is missing for a domain admin user

Bug #1775229 reported by Dmitrii Shcherbakov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Fix Released
Medium
Billy Olsen

Bug Description

The setup is identical to the following bugs:
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227

The difference is that "Create Group" button is present for a domain admin but not "Delete Groups" after at least a single group is created which happens in the admin project scope.

Tags: cpe-onsite
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :
Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote :

For comparison, admin project scope buttons are attached.

Revision history for this message
Billy Olsen (billy-olsen) wrote :

Marking as invalid against Ubuntu horizon as its an issue with the policy file in use and not the project itself.

Changed in horizon (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Billy Olsen (billy-olsen)
status: Confirmed → Invalid
importance: Medium → Undecided
assignee: Billy Olsen (billy-olsen) → nobody
Changed in charm-openstack-dashboard:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Billy Olsen (billy-olsen)
milestone: none → 18.08
Revision history for this message
Billy Olsen (billy-olsen) wrote :

The problem is due to the openstack-dashboard charm's keystonev3_policy.json file which requires that the target.group.domain_id matches the current admin's id. The "Delete Groups" button depends on the delete_groups policy but the policy depends on the target.group.domain_id in order to be valid. The "Delete Groups" button does not have a group context associated when it is rendered and thus does not pass the policy.

This is fixed by simply removing the target.group.domain_id from the policy file as the group is only shown in the proper domain context. It's also safe to do as the final ability to remove the group is held within keystone policy configuration itself, which will does have the proper target check because it is supplied as part of a delete api call.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/574138

Changed in charm-openstack-dashboard:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.openstack.org/574138
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e10f120a1d5725ce50dbae667a1d66b1100839b7
Submitter: Zuul
Branch: master

commit e10f120a1d5725ce50dbae667a1d66b1100839b7
Author: Billy Olsen <email address hidden>
Date: Sun Jun 10 23:00:02 2018 -0700

    Update keystonev3_policy.json to enable UI buttons

    The horizon interface enables/displays actions based on the
    keystonev3_policy.json file provided. The keystonev3_policy.json file
    included by the charm has rules for various actions that depend on the
    target object's domain id (user, group, project). The buttons displayed
    for creating and deleting the objects (shown above the tables) are also
    based on these policy rules but no target object exists because they are
    bound to the table and not a specific target object.

    This patch changes some of the policy rules to create/delete users,
    projects, and groups to not require the target object's domain_id. This
    is safe to do because the table is shown within the context of the
    target domain_id already. Additionally, the actual ability to alter
    objects is controlled by the actual policy installed in Keystone and not
    the Horizon UI.

    Without this change, actions such as "Create User" will only show for
    a user who is a cloud admin and not for any domain admins (even if the
    domain admin is allowed to perform the action via the API or CLI).

    Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
    Closes-Bug: #1775224
    Closes-Bug: #1775229

Changed in charm-openstack-dashboard:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-openstack-dashboard (stable/18.05)

Fix proposed to branch: stable/18.05
Review: https://review.openstack.org/575272

David Ames (thedac)
Changed in charm-openstack-dashboard:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on charm-openstack-dashboard (stable/18.05)

Change abandoned by Felipe Reyes (<email address hidden>) on branch: stable/18.05
Review: https://review.openstack.org/575272

Mathew Hodson (mhodson)
no longer affects: horizon (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.