"Unable to retrive container list" in Horizon for member
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
Low
|
Matthew Mosesohn |
Bug Description
"release": "3.2.1",
"nailgun_sha": "51fd1d386b8cfc
"ostf_sha": "c70535553616d3
"astute_sha": "df6ddea3abc93f
"fuellib_sha": "e1e14026d78848
1. Create new environment (CentOS, HA mode)
2. Add 3 controllers, 1 compute, 3 cinder nodes
3. Start deployment. It was successful
4. Go to Horizon
5. Create new user with role member
6. Login into Horizon inder added user
7. Click in left menu to Containers. Error presents "Unable to retrive container list"
Warning in ./node-
warning: WARNING ESC[31;
Changed in fuel: | |
milestone: | none → 4.0 |
importance: | Undecided → Low |
Changed in fuel: | |
assignee: | Vladimir Kuklin (vkuklin) → nobody |
Changed in fuel: | |
assignee: | nobody → Matthew Mosesohn (raytrac3r) |
status: | New → In Progress |
Changed in fuel: | |
status: | In Progress → Fix Committed |
Changed in fuel: | |
status: | Fix Committed → Fix Released |
This problem relates to the core problem that Swift admin tasks are quite limited in Horizon and by default, Swift is reserved for Admins only.
I'm paraphrasing documentation from these two sources: docs.openstack. org/developer/ swift/overview_ auth.html rtg.in. ua/blog/ openstack- swift-and- keystone- setting- up-cloud- storage/
http://
http://
The expected tenant admin behavior is as follows:
1 - Users who should manage all swift object stores should be given SwiftOperator role (it exists in our conf, but not the role itself)
2 - Users who should get a container should have an object created for them (CLI only, not via Horizon)
3 - Non-privileged users who don't get assigned any containers don't have any swift access at all.
The error in Horizon is correct because unless you're a Swift operator, you don't get to list any objects.
We have two routes to solve this: proxy:: keystone with $operator_roles = ['admin', 'SwiftOperator', 'Member']. This should be discussed and we'll decide if this is beneficial.
1 - Create SwiftOperator role when deploying Fuel so that it can be delegated for a project if needed. (We should definitely do this)
2 - Allow (either always or with a config option) admin swift access for users by default by calling swift::