yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61997
[Bug 1628141] Re: Regular users cannot manage security groups in Horizon
Reviewed: https://review.openstack.org/377777
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ed86badc4290fc97bbb4fcfac53afffc69080243
Submitter: Jenkins
Branch: master
commit ed86badc4290fc97bbb4fcfac53afffc69080243
Author: Nick Liu <deltik@xxxxxxx>
Date: Tue Sep 27 09:51:22 2016 -0500
Remove unimplemented policy checks for Neutron
The dashboard is doing policy checks for Neutron that aren't even being
done by Neutron itself.
This fixes bug #1628141, which was caused by change-id
I9f4e9209606999e5529e5ba068640d607b817f56, which was meant for Nova and
not for Neutron.
This change makes the policy checks for Nova secgroups only, if Neutron
networking is not enabled.
Neutron policy checks removed:
* delete_security_group
* create_security_group
* update_security_group
* get_security_group
* create_security_group_rule
* delete_security_group_rule
Change-Id: I46b46fcd4cbc7c8e06f481eac9606c330fc75351
Closes-Bug: #1628141
** Changed in: horizon
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1628141
Title:
Regular users cannot manage security groups in Horizon
Status in OpenStack Dashboard (Horizon):
Fix Released
Bug description:
As a regular user (a user without the "admin" role), if I go to
Horizon » Project » Compute » Access & Security » Security Groups, by
default, the options to
* delete security groups,
* create security groups,
* update security groups,
* create security group rules, and
* delete security group rules
… do not show up.
If my Horizon IP address is 10.12.53.10, the page that should be
showing those options would be
https://10.12.53.10/project/access_and_security/ under the "Security
Groups" tab.
This happens if the "network" (Neutron) service is enabled.
My regular user does have permission to manipulate security groups,
which I checked with `nova secgroup-create`, `neutron security-group-
delete`, etc.
Also, I could bring up the Horizon interface to create new security
groups by going directly to
https://10.12.53.10/project/access_and_security/security_groups/create/
, and filling out and submitting the form would create a new security
group, but the options to edit or delete it still do not show up in
Horizon after creating the new security group.
--------------------------------------------------------------------------
The cause is that "openstack_dashboard/conf/neutron_policy.json" does
not contain security group and security group rule policies.
If you go to
"openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py",
you can see the allowed() method of each tables.LinkAction. Notice
that each checks if the "network" service is enabled, and if so, it
sets the policy to check to be (("network",
"create_security_group"),), (("network", "delete_security_group"),),
and so on.
The problem is that the file that is supposed to contain those
policies, "openstack_dashboard/conf/neutron_policy.json", does not
contain those policies.
--------------------------------------------------------------------------
To fix the problem, add a comma to the end of the last policy in
"openstack_dashboard/conf/neutron_policy.json", then before the
closing "}", add the following lines:
"delete_security_group": "rule:regular_user",
"create_security_group": "rule:regular_user",
"update_security_group": "rule:regular_user",
"get_security_group": "rule:regular_user",
"create_security_group_rule": "rule:regular_user",
"delete_security_group_rule": "rule:regular_user"
Now, regular users can manage security groups in Horizon.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1628141/+subscriptions
References
