Cannot update Identity Roles in Rocky

Bug #1792783 reported by Corey Bryant on 2018-09-16
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Corey Bryant
Ubuntu Cloud Archive
High
Unassigned
Rocky
High
Unassigned
horizon (Ubuntu)
High
Unassigned
Cosmic
High
Unassigned

Bug Description

In Rocky, there's no way to create, edit, delete Identity Roles.

Please see attached screenshots comparing Queens and Rocky.

Corey Bryant (corey.bryant) wrote :

Queens screenshot

Corey Bryant (corey.bryant) wrote :

Rocky screenshot

Changed in horizon (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
importance: Medium → High
Ivan Kolodyazhny (e0ne) wrote :

Corey, could you please confirm that it's reproducible on upstream horizon?

Changed in horizon:
status: New → Incomplete
assignee: nobody → Corey Bryant (corey.bryant)
Akihiro Motoki (amotoki) wrote :

I cannot reproduce this either.

Note that I only this once but at that time I forgot to run collectstatic and compress, i.e., it was my mistake.

Corey Bryant (corey.bryant) wrote :

This is possibly explained by the following comments from LP:1775227:

https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227/comments/5
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227/comments/6

"I agree that the current horizon does not support role create/delete operations by domain admin."

Corey Bryant (corey.bryant) wrote :

I did a little more digging and I'm still not sure what the problem is. I can create/delete users, groups, projects, domains, but not roles as there are no buttons.

For OPENSTACK_KEYSTONE_BACKEND in local_settings.py we have:

OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'native',
    'can_edit_user': True,
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
}

The keystone v3 policy looks fine and I'm using a cloud admin (not a domain admin, so this is not the same as bug 1775227):

     "admin_required": "role:Admin",
     "cloud_admin": "rule:admin_required and rule:domain_id:7b67d5a059154b45a5f4cb6f80310493",
     ...
     "identity:get_role": "rule:admin_required",
     "identity:list_roles": "rule:admin_required",
     "identity:create_role": "rule:cloud_admin",
     "identity:update_role": "rule:cloud_admin",
     "identity:delete_role": "rule:cloud_admin",

# openstack commands to compare vs cloud_admin policy - truncated for launchpad formatting

$ os domain list
+----------------------------------+----------------+
| ID | Name |
+----------------------------------+----------------+
| 7b67d5a059154b45a5f4cb6f80310493 | admin_domain |
+----------------------------------+----------------+

$ os user show admin
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 7b67d5a059154b45a5f4cb6f80310493 |
| email | juju@localhost |
| enabled | True |
| id | 70ffd1578204492b954792af2607bffd |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+

$ os role list
+----------------------------------+---------------+
| ID | Name |
+----------------------------------+---------------+
| 8a01a3463f584c34a5c56282a90b53a7 | Admin |
+----------------------------------+---------------+

$ os role assignment list -f json
  ...
  {
    "Role": "8a01a3463f584c34a5c56282a90b53a7",
    "User": "70ffd1578204492b954792af2607bffd",
    "Group": "",
    "Project": "",
    "Domain": "7b67d5a059154b45a5f4cb6f80310493",
    "System": "",
    "Inherited": false
  },
  ...

Static assets are collected and compressed and apache2/memcached restarted.

I've been testing with the Ubuntu package so I'll have to test this with upstream and see what is different.

Albert Damen (albrt) wrote :

Has OPENSTACK_KEYSTONE_BACKEND been added to REST_API_REQUIRED_SETTINGS?

After an upgrade from queens I did not have the "create role" option either. Adding OPENSTACK_KEYSTONE_BACKEND to REST_API_REQUIRED_SETTINGS fixed that.

Both options are properly set in /etc/openstack-dashboard/local_settings.py.dpkg-dist, but I refused the new file to keep my local changes.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers