yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #57106
[Bug 1628141] [NEW] Regular users cannot manage security groups in Horizon
Public bug reported:
As a regular user (a user without the "admin" role), if I go to Horizon
» Project » Compute » Access & Security » Security Groups, by default,
the options to
* delete security groups,
* create security groups,
* update security groups,
* create security group rules, and
* delete security group rules
… do not show up.
If my Horizon IP address is 10.12.53.10, the page that should be showing
those options would be https://10.12.53.10/project/access_and_security/
under the "Security Groups" tab.
This happens if the "network" (Neutron) service is enabled.
My regular user does have permission to manipulate security groups,
which I checked with `nova secgroup-create`, `neutron security-group-
delete`, etc.
Also, I could bring up the Horizon interface to create new security
groups by going directly to
https://10.12.53.10/project/access_and_security/security_groups/create/
, and filling out and submitting the form would create a new security
group, but the options to edit or delete it still do not show up in
Horizon after creating the new security group.
--------------------------------------------------------------------------
The cause is that "openstack_dashboard/conf/neutron_policy.json" does
not contain security group and security group rule policies.
If you go to
"openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py",
you can see the allowed() method of each tables.LinkAction. Notice that
each checks if the "network" service is enabled, and if so, it sets the
policy to check to be (("network", "create_security_group"),),
(("network", "delete_security_group"),), and so on.
The problem is that the file that is supposed to contain those policies,
"openstack_dashboard/conf/neutron_policy.json", does not contain those
policies.
--------------------------------------------------------------------------
To fix the problem, add a comma to the end of the last policy in
"openstack_dashboard/conf/neutron_policy.json", then before the closing
"}", add the following lines:
"delete_security_group": "rule:regular_user",
"create_security_group": "rule:regular_user",
"update_security_group": "rule:regular_user",
"get_security_group": "rule:regular_user",
"create_security_group_rule": "rule:regular_user",
"delete_security_group_rule": "rule:regular_user"
Now, regular users can manage security groups in Horizon.
** Affects: horizon
Importance: Undecided
Status: New
** Description changed:
As a regular user (a user without the "admin" role), if I go to Horizon
» Project » Compute » Access & Security » Security Groups, by default,
the options to
* delete security groups,
* create security groups,
* update security groups,
* create security group rules, and
* delete security group rules
… do not show up.
If my Horizon IP address is 10.12.53.10, the page that should be showing
those options would be https://10.12.53.10/project/access_and_security/
under the "Security Groups" tab.
This happens if the "network" (Neutron) service is enabled.
My regular user does have permission to manipulate security groups,
which I checked with `nova secgroup-create`, `neutron security-group-
delete`, etc.
Also, I could bring up the Horizon interface to create new security
groups by going directly to
https://10.12.53.10/project/access_and_security/security_groups/create/
, and filling out and submitting the form would create a new security
group, but the options to edit or delete it still do not show up in
Horizon after creating the new security group.
- --------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
The cause is that "openstack_dashboard/conf/neutron_policy.json" does
not contain security group and security group rule policies.
If you go to
"openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py",
you can see the allowed() method of each tables.LinkAction. Notice that
each checks if the "network" service is enabled, and if so, it sets the
policy to check to be (("network", "create_security_group"),),
(("network", "delete_security_group"),), and so on.
The problem is that the file that is supposed to contain those policies,
"openstack_dashboard/conf/neutron_policy.json", does not contain those
policies.
- --------------------------------------------------------------------------------
+ --------------------------------------------------------------------------
To fix the problem, add a comma to the end of the last policy in
"openstack_dashboard/conf/neutron_policy.json", then before the closing
"}", add the following lines:
- "delete_security_group": "rule:regular_user",
- "create_security_group": "rule:regular_user",
- "update_security_group": "rule:regular_user",
- "get_security_group": "rule:regular_user",
- "create_security_group_rule": "rule:regular_user",
- "delete_security_group_rule": "rule:regular_user"
+ "delete_security_group": "rule:regular_user",
+ "create_security_group": "rule:regular_user",
+ "update_security_group": "rule:regular_user",
+ "get_security_group": "rule:regular_user",
+ "create_security_group_rule": "rule:regular_user",
+ "delete_security_group_rule": "rule:regular_user"
Now, regular users can manage security groups in Horizon.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1628141
Title:
Regular users cannot manage security groups in Horizon
Status in OpenStack Dashboard (Horizon):
New
Bug description:
As a regular user (a user without the "admin" role), if I go to
Horizon » Project » Compute » Access & Security » Security Groups, by
default, the options to
* delete security groups,
* create security groups,
* update security groups,
* create security group rules, and
* delete security group rules
… do not show up.
If my Horizon IP address is 10.12.53.10, the page that should be
showing those options would be
https://10.12.53.10/project/access_and_security/ under the "Security
Groups" tab.
This happens if the "network" (Neutron) service is enabled.
My regular user does have permission to manipulate security groups,
which I checked with `nova secgroup-create`, `neutron security-group-
delete`, etc.
Also, I could bring up the Horizon interface to create new security
groups by going directly to
https://10.12.53.10/project/access_and_security/security_groups/create/
, and filling out and submitting the form would create a new security
group, but the options to edit or delete it still do not show up in
Horizon after creating the new security group.
--------------------------------------------------------------------------
The cause is that "openstack_dashboard/conf/neutron_policy.json" does
not contain security group and security group rule policies.
If you go to
"openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py",
you can see the allowed() method of each tables.LinkAction. Notice
that each checks if the "network" service is enabled, and if so, it
sets the policy to check to be (("network",
"create_security_group"),), (("network", "delete_security_group"),),
and so on.
The problem is that the file that is supposed to contain those
policies, "openstack_dashboard/conf/neutron_policy.json", does not
contain those policies.
--------------------------------------------------------------------------
To fix the problem, add a comma to the end of the last policy in
"openstack_dashboard/conf/neutron_policy.json", then before the
closing "}", add the following lines:
"delete_security_group": "rule:regular_user",
"create_security_group": "rule:regular_user",
"update_security_group": "rule:regular_user",
"get_security_group": "rule:regular_user",
"create_security_group_rule": "rule:regular_user",
"delete_security_group_rule": "rule:regular_user"
Now, regular users can manage security groups in Horizon.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1628141/+subscriptions
Follow ups
