| ganso | hi folks. Quick question about the UI: I noticed that if you set up a user with just a reader role, the buttons to create volumes and network disappear, but the buttons to create instances remain, despite the fact that the result will be a permission denied error when attempting to create instances. Is this by design or am I missing something that can hide the buttons to create instances? same thing with VM snapshots | 13:31 |
|---|---|---|
| rdopiera | ganso: the permission checks are not equally granular everywhere, this is not a big problem, because as you said you will get a permission error anyways, but it's something we can improve over time | 13:39 |
| rdopiera | we didn't spend much time on this yet, because the services only recently all implemented the srbac stuff themselves | 13:40 |
| ganso | rdopiera: thanks for the response, if the functionality to implement the buttons is implemented, is that something that could be backported (as long as the service supports RBAC in the release) ? | 13:43 |
| ganso | to implement *hiding the buttons | 13:44 |
| micwyszk | Hi all, regarding TSL on Placement I raised bug on launchpad https://bugs.launchpad.net/horizon/+bug/2054108 as I checked devstack settings with tls-proxy will work (Ubuntu 22.04&script install), however e.g. on Kolla with self-signed CA TLS error will appear. | 13:52 |
| micwyszk | I think it's because when installed in venv placement api requests use certifi provided cert from venv, not system default ca-certificates, and placement api function don't use OPENSTACK_SSL_NO_VERIFY or OPENSTACK_SSL_CACERT. | 13:52 |
| rdopiera | I think so, it's just a question of writing the right checks | 13:52 |
| rdopiera | micwyszk: I believe there is already work on passing the verify parameter to the placement code | 13:54 |
| rdopiera | ganso: here is an example of the policy check for the launch instance button https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/instances/tables.py#L425 | 13:56 |
| ganso | rdopiera: yep, I create the policy override: "os_compute_api:servers:create": "rule:project_member_or_admin" which implies that the policy is only allowed for members or admin, which readers are not. It still shows the button. I don't currently understand what is different about the UI code that hides the button or doesn't | 15:35 |
| ganso | to me the code looks the same for the volume, network and instance page, but the result is different | 15:36 |
| rdopiera | ganso: I think this is the angular version that doesn't handle the permissions correctly | 15:50 |
| ganso | rdopiera: you mean the instances page uses angular while the volume and network pages use something else? | 15:51 |
| rdopiera | ganso: yes, horizon was in the middle of being rewritten to angular, and some pages use it, and some are the classic python pages | 16:20 |
| opendevreview | Radomir Dopieralski proposed openstack/horizon master: Add a setting for disabling dhcp agents column in the admin network view https://review.opendev.org/c/openstack/horizon/+/901984 | 16:36 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!