[Bug 1775224] Re: "Create User" and "Delete User" buttons are missing for a domain admin user
Dmitrii Shcherbakov
1775224 at bugs.launchpad.net
Tue Jun 5 17:17:35 UTC 2018
** Description changed:
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
- "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
+ "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can
create new users in domain a, there is no visible way to do that from
the dashboard for create and delete operations ("edit" dropdowns are
visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly (policy
files seem to be correct) - just to how horizon handles domain
administrators.
It is possible to create users from the dashboard without using a button
by directly invoking the modal window via accessing the right URL
directly: http://<horizon-address>/identity/users/create/ (see the
screenshot below). Filling out the form and submitting it results in a
successful creation of a new domain user.
+
+ Note: for Groups only the "Create button is present" while the "Delete"
+ button is not present.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1775224
Title:
"Create User" and "Delete User" buttons are missing for a domain admin
user
Status in horizon package in Ubuntu:
New
Bug description:
The setup with xenial + Queens UCA and 18.02 charms is as follows:
https://paste.ubuntu.com/p/BQn3JHr5yZ/
adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
While it is possible to do CRUD on users from CLI, e.g. adma user can
create new users in domain a, there is no visible way to do that from
the dashboard for create and delete operations ("edit" dropdowns are
visible, see the screenshot).
A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)
The problem does not seem to be related to oslo.policy directly
(policy files seem to be correct) - just to how horizon handles domain
administrators.
It is possible to create users from the dashboard without using a
button by directly invoking the modal window via accessing the right
URL directly: http://<horizon-address>/identity/users/create/ (see the
screenshot below). Filling out the form and submitting it results in a
successful creation of a new domain user.
Note: for Groups only the "Create button is present" while the
"Delete" button is not present.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list