Public bug reported: openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do not work with the policy files generated from the latest master branch (queens) of the keystone repository (For example, keystone commit cfbc2aa30b7406b4bc77e40a55561d1f46174b5c).
During the policy-in-code work, keystone drops "default" policy (which was "rule:admin_required"). is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and "admin_and_matching_domain_id" policies respectively. They are not defined in the default keystone policy. Previously a policy check fallbacks to "default" rule (i.e., "admin_required") and as a result both Is_cloud_admin() and is_domain_admin() checks "admin_required". Now the keystone default policy has no "default" rule. As a result is_cloud_admin() and is_doman_admin() always returns False. This means some admin-ness panels do not work. IIUC, the horizon policy framework intend to work with the default policies from back-end services. The current situation should be fixed until Queens release. [1] https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331 ** Affects: horizon Importance: Critical Status: New ** Changed in: horizon Importance: Undecided => Critical ** Changed in: horizon Milestone: None => queens-3 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1739108 Title: api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo Status in OpenStack Dashboard (Horizon): New Bug description: openstack_dashboard.api.keystone.is_cloud_admin and is_domain_admin do not work with the policy files generated from the latest master branch (queens) of the keystone repository (For example, keystone commit cfbc2aa30b7406b4bc77e40a55561d1f46174b5c). During the policy-in-code work, keystone drops "default" policy (which was "rule:admin_required"). is_cloud_admin() and is_domain_admin() refer to "cloud_admin" and "admin_and_matching_domain_id" policies respectively. They are not defined in the default keystone policy. Previously a policy check fallbacks to "default" rule (i.e., "admin_required") and as a result both Is_cloud_admin() and is_domain_admin() checks "admin_required". Now the keystone default policy has no "default" rule. As a result is_cloud_admin() and is_doman_admin() always returns False. This means some admin-ness panels do not work. IIUC, the horizon policy framework intend to work with the default policies from back-end services. The current situation should be fixed until Queens release. [1] https://github.com/openstack/horizon/blob/0f598182919df31e40c7630ee1bd42bea259310d/openstack_dashboard/api/keystone.py#L325-L331 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1739108/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
