yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1982944] [NEW] Users from other domains which should be matched by cloud_admin rule cannot list domains or switch domain context

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: David Mitchell <1982944@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Jul 2022 12:29:35 -0000
Reply-to: Bug 1982944 <1982944@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

On Yoga, the out-of-the-box 'admin' user can list all domains and switch
context into other domains using Horizon.

As I understand it, the default Keystone policy file allows this by way
of the cloud_admin rule defined as follows:

"admin_required": "role:Admin",
"cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:<id of 'admin_domain'> or project_id:<id of services project>)"

With the admin_project_name and admin_project_domain_name defined inside
keystone.conf as 'admin' and 'admin_domain' respectively.

If I create a new domain 'newdomain' and inside that domain a new user
'newdomainuser' and then assign the newdomainuser the 'admin' role on
either or both the admin project or admin domain then when I sign into
Horizon with 'newdomainuser' I can only see 'newdomain' in Identity ->
Domains and I cannot switch context to other domains.

If I configure an rc file for 'newdomainuser' with OS_PROJECT_DOMAIN_ID
and OS_PROJECT_ID to match the 'admin' project from 'admin_domain'
domain then via the cli I can list domains and perform operations as
expected.

How can we allow users in domains other than the out-of-the-box
'admin_domain' get full 'cloud_admin' functionality in Horizon?

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1982944

Title:
  Users from other domains which should be matched by cloud_admin rule
  cannot list domains or switch domain context

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  On Yoga, the out-of-the-box 'admin' user can list all domains and
  switch context into other domains using Horizon.

  As I understand it, the default Keystone policy file allows this by
  way of the cloud_admin rule defined as follows:

  "admin_required": "role:Admin",
  "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:<id of 'admin_domain'> or project_id:<id of services project>)"

  With the admin_project_name and admin_project_domain_name defined
  inside keystone.conf as 'admin' and 'admin_domain' respectively.

  If I create a new domain 'newdomain' and inside that domain a new user
  'newdomainuser' and then assign the newdomainuser the 'admin' role on
  either or both the admin project or admin domain then when I sign into
  Horizon with 'newdomainuser' I can only see 'newdomain' in Identity ->
  Domains and I cannot switch context to other domains.

  If I configure an rc file for 'newdomainuser' with
  OS_PROJECT_DOMAIN_ID and OS_PROJECT_ID to match the 'admin' project
  from 'admin_domain' domain then via the cli I can list domains and
  perform operations as expected.

  How can we allow users in domains other than the out-of-the-box
  'admin_domain' get full 'cloud_admin' functionality in Horizon?

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1982944/+subscriptions