[Bug 1775224] Re: "Create User" and "Delete User" buttons are missing for a domain admin user

Fri Jun 8 19:33:39 UTC 2018

I've taken a good look at this issue today. I'm not convinced its an
issue with Horizon itself, rather with the policy.json file that's being
configured by the deployment itself.

In order to display the Create User button, the user needs to be able to
qualify for the following policies:

- create_grant 
- create_user 
- list_roles 
- list_projects 

>From the policy file provided in the deployment the list_roles,
list_projects, and create_user policies easily passed because they
simply require that the user is a domain scoped admin or cloud admin.

This leaves the create_grant rule as being problematic. The create_grant rule is fairly complex in that it requires that the user in this case be one of: 
- cloud admin 
- an admin in the domain that the user is being created in AND that the target's role is in the same domain 
- an admin in the project that the user is being created in AND that the target's role is in the same project 

The problem with this particular rule is that the target of the policy
as it is evaluated as an empty dictionary (due to the target for the
table not being defined). The current user information is eventually
filled in as part of the evaluation (tenant_id, user_id, domain_id).

Now, it may be that the create_grant policy is intentionally required in
order to display the Create User button (I need to check the history on
it). However, the policy.json file that's written for the charm is
essentially the same policy.json file used for keystone, which in turn
requires that the target.role.domain_id is the same. That may not make
sense due to the context targets that are referenced when evaluating the
policies (as keystone and horizon are not guaranteed to provide the same
context in all places).

I see viable work around options as follows: 
- Update the keystonev3_policy.json file in the deployment to have a more appropriate set of rules 
- Use the cli to manage users 

Note: the following policy works well for the grant oriented policies.
Not only is it easier to read and understand imo, but it removes the
role bits that are included. This comes from the provided grants in the
in the horizon openstack_auth django plugin test policies -
https://github.com/openstack/horizon/blob/stable/queens/openstack_auth/tests/conf/policy.v3cloudsample.json#L85:

"domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)", 
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s", 
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", 
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", 
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", 
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",

** Also affects: charm-openstack-dashboard
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1775224

Title:
  "Create User" and "Delete User" buttons are missing for a domain admin
  user

Status in OpenStack openstack-dashboard charm:
  New
Status in horizon package in Ubuntu:
  New

Bug description:
  The setup with xenial + Queens UCA and 18.02 charms is as follows:
  https://paste.ubuntu.com/p/BQn3JHr5yZ/

  adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
      "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",

  While it is possible to do CRUD on users from CLI, e.g. adma user can
  create new users in domain a, there is no visible way to do that from
  the dashboard for create and delete operations ("edit" dropdowns are
  visible, see the screenshot).

  A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
  https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)

  The problem does not seem to be related to oslo.policy directly
  (policy files seem to be correct) - just to how horizon handles domain
  administrators.

  It is possible to create users from the dashboard without using a
  button by directly invoking the modal window via accessing the right
  URL directly: http://<horizon-address>/identity/users/create/ (see the
  screenshot below). Filling out the form and submitting it results in a
  successful creation of a new domain user.

  Note: for Groups only the "Create button is present" while the
  "Delete" button is not present.

  See also:
  1) the same type of bug but for roles https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227
  2) "delete groups" https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775229

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1775224/+subscriptions