← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #70038

[Bug 1739108] [NEW] api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo

  Thread PreviousDate PreviousThread Next 
Public bug reported:

openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do
not work with the policy files generated from the latest master branch
(queens) of the keystone repository (For example, keystone commit
cfbc2aa30b7406b4bc77e40a55561d1f46174b5c).

During the policy-in-code work, keystone drops "default" policy (which
was "rule:admin_required").

is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and "admin_and_matching_domain_id" policies respectively. They are not defined in the default keystone policy. 
Previously a policy check fallbacks to "default" rule (i.e., "admin_required") and as a result both Is_cloud_admin() and is_domain_admin() checks "admin_required".

Now the keystone default policy has no "default" rule. As a result
is_cloud_admin() and is_doman_admin() always returns False. This means
some admin-ness panels do not work.

IIUC, the horizon policy framework intend to work with the default policies from back-end services.
The current situation should be fixed until Queens release.

[1]
https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331

** Affects: horizon
     Importance: Critical
         Status: New

** Changed in: horizon
   Importance: Undecided => Critical

** Changed in: horizon
    Milestone: None => queens-3

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1739108

Title:
  api.keystone.is_cloud_admin/is_domain_admin do not work with the
  latest policy from keystone repo

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do
  not work with the policy files generated from the latest master branch
  (queens) of the keystone repository (For example, keystone commit
  cfbc2aa30b7406b4bc77e40a55561d1f46174b5c).

  During the policy-in-code work, keystone drops "default" policy (which
  was "rule:admin_required").

  is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and "admin_and_matching_domain_id" policies respectively. They are not defined in the default keystone policy. 
  Previously a policy check fallbacks to "default" rule (i.e., "admin_required") and as a result both Is_cloud_admin() and is_domain_admin() checks "admin_required".

  Now the keystone default policy has no "default" rule. As a result
  is_cloud_admin() and is_doman_admin() always returns False. This means
  some admin-ness panels do not work.

  IIUC, the horizon policy framework intend to work with the default policies from back-end services.
  The current situation should be fixed until Queens release.

  [1]
  https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1739108/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next