Public bug reported: With Dalmatian release (2024.2) Keystone has finally added support for domain managers: https://review.opendev.org/c/openstack/keystone/+/924132
This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain. With these privileges they are able to: 1. Create/delete users in domain 2. Create/delete projects in domain 3. Assign some privileges for users on projects in their domain However, even if adopt policies in Horizon to match 2024.2 Keystone policies, this would not be enough to get domain managers working, as Horizon doesn't actually do domain-scoped tokens which is required to pass policies. As, for instance, in order to create project policy is the following: identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s) So, if user has manager role it is supposed to be assigned to domain (have a domain scoped token) if I read that correctly. This is partially related with https://bugs.launchpad.net/horizon/+bug/2067075 ** Affects: horizon Importance: Undecided Status: New ** Description changed: With Dalmatian release (2024.2) Keystone has finally added support for domain managers: https://review.opendev.org/c/openstack/keystone/+/924132 This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain. With these privileges they are able to: 1. Create/delete users in domain 2. Create/delete projects in domain 3. Assign some privileges for users on projects in their domain However, even if adopt policies in Horizon to match 2024.2 Keystone policies, this would not be enough to get domain managers working, as Horizon doesn't actually do domain-scoped tokens which is required to pass policies. As, for instance, in order to create project policy is the following: identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s) So, if user has manager role it is supposed to be assigned to domain (have a domain scoped token) if I read that correctly. + + This is partially related with + https://bugs.launchpad.net/horizon/+bug/2067075 -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/2080538 Title: Add support for Domain Manager personas to Horizon Status in OpenStack Dashboard (Horizon): New Bug description: With Dalmatian release (2024.2) Keystone has finally added support for domain managers: https://review.opendev.org/c/openstack/keystone/+/924132 This type of users have a Domain scoped tokens and have a `manager` role assigned to the domain. With these privileges they are able to: 1. Create/delete users in domain 2. Create/delete projects in domain 3. Assign some privileges for users on projects in their domain However, even if adopt policies in Horizon to match 2024.2 Keystone policies, this would not be enough to get domain managers working, as Horizon doesn't actually do domain-scoped tokens which is required to pass policies. As, for instance, in order to create project policy is the following: identity:create_project: (rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s) So, if user has manager role it is supposed to be assigned to domain (have a domain scoped token) if I read that correctly. This is partially related with https://bugs.launchpad.net/horizon/+bug/2067075 To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/2080538/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
