yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94580
[Bug 2080538] [NEW] Add support for Domain Manager personas to Horizon
Public bug reported:
With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
https://review.opendev.org/c/openstack/keystone/+/924132
This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
With these privileges they are able to:
1. Create/delete users in domain
2. Create/delete projects in domain
3. Assign some privileges for users on projects in their domain
However, even if adopt policies in Horizon to match 2024.2 Keystone
policies, this would not be enough to get domain managers working, as
Horizon doesn't actually do domain-scoped tokens which is required to
pass policies.
As, for instance, in order to create project policy is the following:
identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
So, if user has manager role it is supposed to be assigned to domain
(have a domain scoped token) if I read that correctly.
This is partially related with
https://bugs.launchpad.net/horizon/+bug/2067075
** Affects: horizon
Importance: Undecided
Status: New
** Description changed:
With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
https://review.opendev.org/c/openstack/keystone/+/924132
This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
With these privileges they are able to:
1. Create/delete users in domain
2. Create/delete projects in domain
3. Assign some privileges for users on projects in their domain
However, even if adopt policies in Horizon to match 2024.2 Keystone
policies, this would not be enough to get domain managers working, as
Horizon doesn't actually do domain-scoped tokens which is required to
pass policies.
As, for instance, in order to create project policy is the following:
identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
So, if user has manager role it is supposed to be assigned to domain
(have a domain scoped token) if I read that correctly.
+
+ This is partially related with
+ https://bugs.launchpad.net/horizon/+bug/2067075
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2080538
Title:
Add support for Domain Manager personas to Horizon
Status in OpenStack Dashboard (Horizon):
New
Bug description:
With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
https://review.opendev.org/c/openstack/keystone/+/924132
This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
With these privileges they are able to:
1. Create/delete users in domain
2. Create/delete projects in domain
3. Assign some privileges for users on projects in their domain
However, even if adopt policies in Horizon to match 2024.2 Keystone
policies, this would not be enough to get domain managers working, as
Horizon doesn't actually do domain-scoped tokens which is required to
pass policies.
As, for instance, in order to create project policy is the following:
identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
So, if user has manager role it is supposed to be assigned to domain
(have a domain scoped token) if I read that correctly.
This is partially related with
https://bugs.launchpad.net/horizon/+bug/2067075
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2080538/+subscriptions