[Bug 1775224] Re: "Create User" and "Delete User" buttons are missing for a domain admin user

Tue Jun 12 18:05:50 UTC 2018

Reviewed:  https://review.openstack.org/574138
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=e10f120a1d5725ce50dbae667a1d66b1100839b7
Submitter: Zuul
Branch:    master

commit e10f120a1d5725ce50dbae667a1d66b1100839b7
Author: Billy Olsen <billy.olsen at gmail.com>
Date:   Sun Jun 10 23:00:02 2018 -0700

    Update keystonev3_policy.json to enable UI buttons

    The horizon interface enables/displays actions based on the
    keystonev3_policy.json file provided. The keystonev3_policy.json file
    included by the charm has rules for various actions that depend on the
    target object's domain id (user, group, project). The buttons displayed
    for creating and deleting the objects (shown above the tables) are also
    based on these policy rules but no target object exists because they are
    bound to the table and not a specific target object.

    This patch changes some of the policy rules to create/delete users,
    projects, and groups to not require the target object's domain_id. This
    is safe to do because the table is shown within the context of the
    target domain_id already. Additionally, the actual ability to alter
    objects is controlled by the actual policy installed in Keystone and not
    the Horizon UI.

    Without this change, actions such as "Create User" will only show for
    a user who is a cloud admin and not for any domain admins (even if the
    domain admin is allowed to perform the action via the API or CLI).

    Change-Id: Ie0a85e11e6a171083deb19b0eb26c7e552390c00
    Closes-Bug: #1775224
    Closes-Bug: #1775229

** Changed in: charm-openstack-dashboard
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1775224

Title:
  "Create User" and "Delete User" buttons are missing for a domain admin
  user

Status in OpenStack openstack-dashboard charm:
  Fix Committed
Status in horizon package in Ubuntu:
  Invalid

Bug description:
  The setup with xenial + Queens UCA and 18.02 charms is as follows:
  https://paste.ubuntu.com/p/BQn3JHr5yZ/

  adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
      "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",

  While it is possible to do CRUD on users from CLI, e.g. adma user can
  create new users in domain a, there is no visible way to do that from
  the dashboard for create and delete operations ("edit" dropdowns are
  visible, see the screenshot).

  A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
  https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)

  The problem does not seem to be related to oslo.policy directly
  (policy files seem to be correct) - just to how horizon handles domain
  administrators.

  It is possible to create users from the dashboard without using a
  button by directly invoking the modal window via accessing the right
  URL directly: http://<horizon-address>/identity/users/create/ (see the
  screenshot below). Filling out the form and submitting it results in a
  successful creation of a new domain user.

  Note: for Groups only the "Create button is present" while the
  "Delete" button is not present.

  See also:
  1) the same type of bug but for roles https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775227
  2) "delete groups" https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775229

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1775224/+subscriptions