yahoo-eng-team team mailing list archive

[Dmitriy Rabotyagov <2080538@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
https://review.opendev.org/c/openstack/keystone/+/924132

This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
With these privileges they are able to:
1. Create/delete users in domain
2. Create/delete projects in domain
3. Assign some privileges for users on projects in their domain

However, even if adopt policies in Horizon to match 2024.2 Keystone
policies, this would not be enough to get domain managers working, as
Horizon doesn't actually do domain-scoped tokens which is required to
pass policies.

As, for instance, in order to create project policy is the following:
identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)

So, if user has manager role it is supposed to be assigned to domain
(have a domain scoped token) if I read that correctly.

This is partially related with
https://bugs.launchpad.net/horizon/+bug/2067075

** Affects: horizon
     Importance: Undecided
         Status: New

** Description changed:

  With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
  https://review.opendev.org/c/openstack/keystone/+/924132
  
  This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
  With these privileges they are able to:
  1. Create/delete users in domain
  2. Create/delete projects in domain
  3. Assign some privileges for users on projects in their domain
  
  However, even if adopt policies in Horizon to match 2024.2 Keystone
  policies, this would not be enough to get domain managers working, as
  Horizon doesn't actually do domain-scoped tokens which is required to
  pass policies.
  
  As, for instance, in order to create project policy is the following:
  identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)
  
  So, if user has manager role it is supposed to be assigned to domain
  (have a domain scoped token) if I read that correctly.
+ 
+ This is partially related with
+ https://bugs.launchpad.net/horizon/+bug/2067075

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/2080538

Title:
  Add support for Domain Manager personas to Horizon

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  With Dalmatian release (2024.2) Keystone has finally added support for domain managers:
  https://review.opendev.org/c/openstack/keystone/+/924132

  This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain.
  With these privileges they are able to:
  1. Create/delete users in domain
  2. Create/delete projects in domain
  3. Assign some privileges for users on projects in their domain

  However, even if adopt policies in Horizon to match 2024.2 Keystone
  policies, this would not be enough to get domain managers working, as
  Horizon doesn't actually do domain-scoped tokens which is required to
  pass policies.

  As, for instance, in order to create project policy is the following:
  identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)

  So, if user has manager role it is supposed to be assigned to domain
  (have a domain scoped token) if I read that correctly.

  This is partially related with
  https://bugs.launchpad.net/horizon/+bug/2067075

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/2080538/+subscriptions