yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50734
[Bug 1571875] Re: Domain role hidden by project role
After looking back into the code, I remembered why we made it work this
way. The Admin dashboard is for users who can perform admin operations
across services. Only Keystone understands domains, so for a user to
have access to all things the Admin dashboard lets them do, the user
needs to be a cloud admin from a Keystone perspective *and* have the
admin role on the project they're scoped to. So if both of those
conditions aren't met, we hide the admin dashboard.
To give people a fighting chance at figuring this out, I added a new
"Cloud Admin Confusion" section to my blog post (might take a few hours
to reflect the update publicly):
https://www-secure.symantec.com/connect/blogs/domain-support-horizon-
here
In summary, yes, this is confusing, but we had to do it this way
because.. OpenStack.
I'll invalidate this bug, but let me know if there are any questions.
** Changed in: keystone
Status: New => Invalid
** Changed in: horizon
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1571875
Title:
Domain role hidden by project role
Status in OpenStack Dashboard (Horizon):
Invalid
Status in OpenStack Identity (keystone):
Invalid
Bug description:
Follow the steps below to see the problem.
1. From the CLI, create a user and assign admin role to the default
domain but assign no projects. Log into horizon, you will see the
admin dashboard available to you.
2. From the CLI, assign the user to the demo project and give the user
the _member_ role. Log into horizon, you will no longer see the admin
dashboard.
Horizon automatically detects the projects you are assigned to and
scope you to that project instantly. There needs to be a way to
unscope the project so you can do admin related things. I think we
need an option to uncheck the project so that you can log in under the
domain role.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1571875/+subscriptions
References