Public bug reported: On Yoga, the out-of-the-box 'admin' user can list all domains and switch context into other domains using Horizon.
As I understand it, the default Keystone policy file allows this by way of the cloud_admin rule defined as follows: "admin_required": "role:Admin", "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:<id of 'admin_domain'> or project_id:<id of services project>)" With the admin_project_name and admin_project_domain_name defined inside keystone.conf as 'admin' and 'admin_domain' respectively. If I create a new domain 'newdomain' and inside that domain a new user 'newdomainuser' and then assign the newdomainuser the 'admin' role on either or both the admin project or admin domain then when I sign into Horizon with 'newdomainuser' I can only see 'newdomain' in Identity -> Domains and I cannot switch context to other domains. If I configure an rc file for 'newdomainuser' with OS_PROJECT_DOMAIN_ID and OS_PROJECT_ID to match the 'admin' project from 'admin_domain' domain then via the cli I can list domains and perform operations as expected. How can we allow users in domains other than the out-of-the-box 'admin_domain' get full 'cloud_admin' functionality in Horizon? ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1982944 Title: Users from other domains which should be matched by cloud_admin rule cannot list domains or switch domain context Status in OpenStack Dashboard (Horizon): New Bug description: On Yoga, the out-of-the-box 'admin' user can list all domains and switch context into other domains using Horizon. As I understand it, the default Keystone policy file allows this by way of the cloud_admin rule defined as follows: "admin_required": "role:Admin", "cloud_admin": "rule:admin_required and (is_admin_project:True or domain_id:<id of 'admin_domain'> or project_id:<id of services project>)" With the admin_project_name and admin_project_domain_name defined inside keystone.conf as 'admin' and 'admin_domain' respectively. If I create a new domain 'newdomain' and inside that domain a new user 'newdomainuser' and then assign the newdomainuser the 'admin' role on either or both the admin project or admin domain then when I sign into Horizon with 'newdomainuser' I can only see 'newdomain' in Identity -> Domains and I cannot switch context to other domains. If I configure an rc file for 'newdomainuser' with OS_PROJECT_DOMAIN_ID and OS_PROJECT_ID to match the 'admin' project from 'admin_domain' domain then via the cli I can list domains and perform operations as expected. How can we allow users in domains other than the out-of-the-box 'admin_domain' get full 'cloud_admin' functionality in Horizon? To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1982944/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp