[Bug 1775227] Re: "Create Role" and "Delete Role" buttons are missing for a domain admin user

James Page james.page at ubuntu.com
Thu Nov 22 14:50:32 UTC 2018 

** Changed in: horizon (Ubuntu)
       Status: New => Triaged

** Changed in: horizon (Ubuntu)
   Importance: Undecided => Critical

** Changed in: horizon (Ubuntu)
   Importance: Critical => Low

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1775227

Title:
  "Create Role" and "Delete Role" buttons are missing for a domain admin
  user

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in horizon package in Ubuntu:
  Triaged

Bug description:
  This bug is similar to
  https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1775224 so I am
  pasting the initial description without modification.

  The setup with xenial + Queens UCA and 18.02 charms is as follows:
  https://paste.ubuntu.com/p/BQn3JHr5yZ/

  adma and admb are users with Admin role granted on their respective domain level so they can manage users, groups and roles due to how policy rules shipped via charms are structured http://paste.ubuntu.com/p/ybpvMsmWHC/
      "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",

  While it is possible to do CRUD on roles from CLI, e.g. adma user can
  create new roles in domain a, there is no visible way to do that from
  the dashboard for create and delete operations.

  A user with an admin-project/domain scoped token has that ability and sees all necessary buttons (https://specs.openstack.org/openstack/keystone-specs/specs/mitaka/is_admin_project.html, see
  https://github.com/openstack/keystone/blob/stable/queens/keystone/conf/resource.py#L59-L77)

  The problem does not seem to be related to oslo.policy directly
  (policy files seem to be correct) - just to how horizon handles domain
  administrators.

  Trying to invoke a modal window directly via http://<horizon-
  address>/identity/roles/create/ does not work as it does, e.g. with
  users in bug 1775224.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1775227/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list