[Bug 1792783] Re: Cannot update Identity Roles in Rocky

Fri, 21 Dec 2018 13:46:18 -0800 

I did a little more digging and I'm still not sure what the problem is.
I can create/delete users, groups, projects, domains, but not roles as
there are no buttons.

For OPENSTACK_KEYSTONE_BACKEND in local_settings.py we have:

OPENSTACK_KEYSTONE_BACKEND = {
    'name': 'native',
    'can_edit_user': True,
    'can_edit_group': True,
    'can_edit_project': True,
    'can_edit_domain': True,
    'can_edit_role': True,
}

The keystone v3 policy looks fine and I'm using a cloud admin (not a
domain admin, so this is not the same as bug 1775227):

     "admin_required": "role:Admin",
     "cloud_admin": "rule:admin_required and 
rule:domain_id:7b67d5a059154b45a5f4cb6f80310493",
     ...
     "identity:get_role": "rule:admin_required",
     "identity:list_roles": "rule:admin_required",
     "identity:create_role": "rule:cloud_admin",
     "identity:update_role": "rule:cloud_admin",
     "identity:delete_role": "rule:cloud_admin",

# openstack commands to compare vs cloud_admin policy - truncated for
launchpad formatting

$ os domain list
+----------------------------------+----------------+
| ID                               | Name           |
+----------------------------------+----------------+
| 7b67d5a059154b45a5f4cb6f80310493 | admin_domain   |
+----------------------------------+----------------+

$ os user show admin
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 7b67d5a059154b45a5f4cb6f80310493 |
| email               | juju@localhost                   |
| enabled             | True                             |
| id                  | 70ffd1578204492b954792af2607bffd |
| name                | admin                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

$ os role list
+----------------------------------+---------------+
| ID                               | Name          |
+----------------------------------+---------------+
| 8a01a3463f584c34a5c56282a90b53a7 | Admin         |
+----------------------------------+---------------+

$ os role assignment list -f json
  ...
  {                                                                             
                                                                                
                                 
    "Role": "8a01a3463f584c34a5c56282a90b53a7",
    "User": "70ffd1578204492b954792af2607bffd",
    "Group": "",
    "Project": "",                             
    "Domain": "7b67d5a059154b45a5f4cb6f80310493",
    "System": "",
    "Inherited": false                            
  },
  ...

Static assets are collected and compressed and apache2/memcached
restarted.

I've been testing with the Ubuntu package so I'll have to test this with
upstream and see what is different.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1792783

Title:
  Cannot update Identity Roles in Rocky

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1792783/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to