Projects can't be selected in horizon via user group membership

asked 2019-12-19 15:07:24 -0500

bhaller gravatar image

updated 2019-12-20 09:25:37 -0500

Train release. One cloud domain and two subdomains. New install, with some projects, groups, and users created as a test environment via packstack. Users add to groups OK. admin, member, and reader roles can be added to users and groups OK for projects OK. Database entries look OK as each is added.

In the web horizon interface, if I configure a user as an admin on their own personal project in one of the subdomains, they can see all projects in domain. However, in this case, they still don't seem to be recognized as group members because there is no "set project active" option for the projects they are members of. They just get project visibility.

If member only everywhere instead of admin on their own project, they can only see their own personal project and not other projects they are members of via group rules.

How can a member access projects via horizon if the projects aren't made visible via groups membership and what's the point of groups if you can't use them? This is with default json policy rules in keystone and openstack-dashboard. Setting scope enforcement in keystone seems to restrict things to the point of unusability so that is false for now, but multidomain is turned on and selectable on login to horizon.

I'm sure it is something simple I'm missing, but none of the documentation I've seen in http://openstack.org talks about how to use groups. There are examples of how to enter the group commands that all work, but not what to do if something goes wrong with group RBAC rules.

Thanks.

Additional info - if I set membership by user instead of group, then I get the set project active option for user membership groups - just no group rules seem to apply. I know that train has revamped the previous json and is moving to policy by code vs the older v3 cloud json option - have group roles just not made it there yet and if so when are they likely to hit. Having to deal with a large user base and a lot of projects by users will be a hassle.

In fact, having a GroupGroup assignment table entry where you could take an existing group and make it part of another group with a new role would be great so you could keep people in departments and department groups and then make those groups stack up to a company wide group for company wide documents.

Thanks again.

edit retag flag offensive close merge delete