yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1571875] Re: Domain role hidden by project role

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brad Pokorny <brad_pokorny@xxxxxxxxxxxx>
Date: Wed, 11 May 2016 17:27:02 -0000
Reply-to: Bug 1571875 <1571875@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

After looking back into the code, I remembered why we made it work this
way. The Admin dashboard is for users who can perform admin operations
across services. Only Keystone understands domains, so for a user to
have access to all things the Admin dashboard lets them do, the user
needs to be a cloud admin from a Keystone perspective *and* have the
admin role on the project they're scoped to. So if both of those
conditions aren't met, we hide the admin dashboard.

To give people a fighting chance at figuring this out, I added a new
"Cloud Admin Confusion" section to my blog post (might take a few hours
to reflect the update publicly):

https://www-secure.symantec.com/connect/blogs/domain-support-horizon-
here

In summary, yes, this is confusing, but we had to do it this way
because.. OpenStack.

I'll invalidate this bug, but let me know if there are any questions.

** Changed in: keystone
       Status: New => Invalid

** Changed in: horizon
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1571875

Title:
  Domain role hidden by project role

Status in OpenStack Dashboard (Horizon):
  Invalid
Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Follow the steps below to see the problem.

  1. From the CLI, create a user and assign admin role to the default
  domain but assign no projects. Log into horizon, you will see the
  admin dashboard available to you.

  2. From the CLI, assign the user to the demo project and give the user
  the _member_ role. Log into horizon, you will no longer see the admin
  dashboard.

  Horizon automatically detects the projects you are assigned to and
  scope you to that project instantly. There needs to be a way to
  unscope the project so you can do admin related things. I think we
  need an option to uncheck the project so that you can log in under the
  domain role.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1571875/+subscriptions

References

[Bug 1571875] [NEW] Domain role hidden by project role
From: Thai Tran, 2016-04-18