Page MenuHomePhabricator
Create Task
Maniphest T196200

Provide a way for OpenStack admins to manage projects they don't belong to in Horizon
Open, LowPublic
Actions

Description

Currently a user can only access the 'Project Members' tab of a project if that user is a project admin in the project. That creates a chicken/egg issue for new projects.

There are a few possible workarounds. In theory Horizon should show ALL projects to someone who is admin in admin when 'admin' is the current project. That may be fixable. Also, in some (future? present?) version of keystone we can add roles on the default container and just give admins 'projectadmin' on that, which would give them defacto projectadmin everywhere.

Event Timeline

Andrew created this task.Jun 1 2018, 10:55 PM
Liuxinyu970226 unsubscribed.Jun 2 2018, 2:15 PM
Vvjjkkii renamed this task from Provide a way for OpenStack admins to manage projects they don't belong to to btbaaaaaaa.Jul 1 2018, 1:08 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: Aklapper, gerritbot, MarcoAurelio.
TerraCodes renamed this task from btbaaaaaaa to Provide a way for OpenStack admins to manage projects they don't belong to.Jul 1 2018, 12:52 PM
TerraCodes raised the priority of this task from High to Needs Triage.
TerraCodes removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
TerraCodes updated the task description. (Show Details)
TerraCodes added subscribers: Aklapper, gerritbot, MarcoAurelio.
Liuxinyu970226 subscribed.Nov 6 2018, 12:33 PM
GTirloni edited projects, added cloud-services-team (Kanban); removed cloud-services-team.Mar 21 2019, 6:52 PM
GTirloni added a project: Cloud-VPS.
bd808 renamed this task from Provide a way for OpenStack admins to manage projects they don't belong to to Provide a way for OpenStack admins to manage projects they don't belong to in Horizon.Nov 10 2019, 11:11 PM
bd808 triaged this task as Low priority.
bd808 edited projects, added Horizon; removed Cloud-VPS, wikitech.wikimedia.org, MediaWiki-extensions-OpenStackManager.
bd808 removed a parent task: T161553: Remove OpenStackManager from Wikitech.
taavi edited projects, added Cloud-VPS; removed Horizon.Feb 25 2022, 9:23 PM
taavi subscribed.

This is possible by granting the admin role on the default domain with the "inherited" option enabled. For example:

taavi@cloudcontrol1004 ~ $ os role assignment list --user taavi --domain default --names
+-------+-----------------+-------+---------+---------+--------+-----------+
| Role  | User            | Group | Project | Domain  | System | Inherited |
+-------+-----------------+-------+---------+---------+--------+-----------+
| admin | Majavah@Default |       |         | Default |        | True      |
+-------+-----------------+-------+---------+---------+--------+-----------+

This means that we can:

fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 9:44 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL