diff --git a/clientdocs/README.md b/clientdocs/README.md index 3273470..6a30bb0 100644 --- a/clientdocs/README.md +++ b/clientdocs/README.md @@ -46,7 +46,12 @@ - **Templates.** `handover-pack.md`, `ci-integration-guide.md`, `acceptance-checklist.md`, `scripts/clouds.yaml.template`, and every file under `tenant-skill/` are reusable templates: `{{PLACEHOLDER}}` fields are - operator-filled at instantiation; a delivered copy contains none. The + operator-filled at instantiation; a delivered copy contains none. + Instantiation values: `{{DASHBOARD_URL}}` is the FULL client-facing URL + INCLUDING the webroot path (measure `juju config openstack-dashboard + webroot`; a bare VIP root does not reach the dashboard); `{{AUTH_URL}}` + and `{{REGION}}` are measured from the live catalog at instantiation, + never recalled. The tenant-skill placeholder set is exactly: `{{TENANT_SHORT_NAME}}`, `{{AUTH_URL}}`, `{{DASHBOARD_URL}}`, `{{REGION}}`, `{{ACCOUNT_CONTACT}}` -- enforced by `tests/clientdocs-skill/run-tests.sh`, which also gates diff --git a/clientdocs/acceptance-checklist.md b/clientdocs/acceptance-checklist.md index 0dac88d..9449d8f 100644 --- a/clientdocs/acceptance-checklist.md +++ b/clientdocs/acceptance-checklist.md @@ -24,13 +24,16 @@ |---|---|---|---|---| | A1 | Pipeline sign-in (application credential) | `openstack token issue` | a token, scoped to your project | You | | A2 | Cluster account sign-in (password) | as `{{TENANT_SHORT_NAME}}-cluster`: `openstack token issue` | a token, scoped to your project | You | -| A3 | Admin account sign-in (password, dashboard) | log in to {{DASHBOARD_URL}} as `{{TENANT_SHORT_NAME}}-domain-admin` with domain `{{TENANT_SHORT_NAME}}` | dashboard opens in your domain | You | +| A3 | Admin account sign-in (password, dashboard) | log in to {{DASHBOARD_URL}} as `{{TENANT_SHORT_NAME}}-domain-admin` with domain `{{TENANT_SHORT_NAME}}` | dashboard opens showing the Identity section; the error popups at this login are normal for this account -- dismiss them (see the Self-Service Guide) | You | | A4 | Endpoint discovery | `openstack catalog list` | every service used in sections B-H appears with an endpoint | You | | A5 | Quota envelope visible | `openstack limits show --absolute` | limits match your agreed quota | You | | A6 | Identity boundary (expected refusal) | with the application credential: `openstack user create ci-accept-probe` | permission DENIED -- identity work belongs to `-domain-admin` only | You | ## B. Identity self-service (as `{{TENANT_SHORT_NAME}}-domain-admin`) +Run these rows with the command-line client -- identity tasks are done +via the CLI today (the exact commands are in the Self-Service Guide). + | # | Proves | Minimal check | Expected result | Who | |---|---|---|---|---| | B1 | You can manage your own team | create user `ci-accept-user` in your domain, grant `member` on `{{TENANT_SHORT_NAME}}-prod`, then delete the user | create, grant, and delete all succeed | You | @@ -100,13 +103,14 @@ ## I. Object storage -The platform runs an object storage service (S3/Swift compatible). Whether -it is switched on for your accounts is confirmed at handover -- ask your -account contact before building on it. +The platform runs an object storage service (S3/Swift compatible), +available to your accounts. Run this row by hand, with the CLI or on the +dashboard's object storage page, whichever you prefer; the automated +runner lists it with the manual rows. | # | Proves | Minimal check | Expected result | Who | |---|---|---|---|---| -| I1 | Object storage enabled for you | `openstack container create ci-accept-bucket`, upload/download a small object, delete both | succeeds IF enabled for your accounts; otherwise ask us | You (after Us confirming) | +| I1 | Object storage lifecycle | `openstack container create ci-accept-bucket`, upload/download a small object, delete both (or the same via the dashboard) | all steps succeed | You | ## J. Operator-side paths (request drills) diff --git a/clientdocs/scripts/acceptance-run.sh b/clientdocs/scripts/acceptance-run.sh index d20f50e..bea8570 100644 --- a/clientdocs/scripts/acceptance-run.sh +++ b/clientdocs/scripts/acceptance-run.sh @@ -12,7 +12,7 @@ # Rows skipped: A2 A3 B1 B2 (need a password login) # D3 (needs interactive SSH) # H1 H2 H3 (need the -cluster password login) -# I1 (object storage -- confirm with your account contact) +# I1 (object storage -- run by hand, CLI or dashboard) # J1 J2 (request drills through your account contact) # Manual instructions for the skipped rows are printed at the end. # @@ -167,8 +167,9 @@ echo " H1-H3: as your -cluster account (password): show your cluster" echo " template, create/delete a test cluster, and confirm the same" echo " create is REFUSED with the application credential" - echo " I1: ask your account contact whether object storage is enabled" - echo " for you before testing it" + echo " I1: create a container ci-accept-bucket, upload/download a small" + echo " object, then delete both -- via the CLI (openstack container" + echo " create) or the dashboard's object storage page" echo " J1/J2: quota-change and escalation drills through your account contact" echo diff --git a/clientdocs/self-service-guide.md b/clientdocs/self-service-guide.md index 159fb23..6bcd2cb 100644 --- a/clientdocs/self-service-guide.md +++ b/clientdocs/self-service-guide.md @@ -26,12 +26,35 @@ members their own users and grant `member` on the project; don't hand out the admin account's password. +## What to expect on first login (dashboard) + +- As `-domain-admin`: three error popups appear at login ("Unable to + retrieve usage information", "Unable to retrieve compute limit + information", and a "local variable 'limits'..." message). These are + normal for this account and harmless -- it runs no workloads, so the + compute overview has nothing to show it. Dismiss them. The dashboard then + shows the Identity section only; that is this account's whole job. +- As `-cluster` or `-svc`: none of those popups; you land in the + full project view (compute, network, volumes, and so on). +- Application credentials and SSH keypairs are per-account: the dashboard + lists only the ones owned by the account you are signed in as. Your + automation credential appears only under `-svc`, and your SSH + keypair only under `-cluster` -- an empty page under the other + account is normal, not a missing resource. + ## Creating team users (as `-domain-admin`) -1. Create the user in your domain. -2. Grant them `member` (and `load-balancer_member` if they manage load - balancers) on your project. -3. They log in to the dashboard with your domain name + their username. +Team users are created with the command-line client today -- the dashboard, +signed in as `-domain-admin`, does not offer user creation. As +`-domain-admin`: + + openstack user create --domain --password-prompt + openstack role add --user --user-domain \ + --project member + +Grant `load-balancer_member` the same way for users who will manage load +balancers. The new user then logs in to the dashboard with your domain +name + their username. If a dashboard identity page refuses an action your account should be able to do, use the command-line client for that step and let us know -- the API diff --git a/clientdocs/sweep-receipt.txt b/clientdocs/sweep-receipt.txt index 6363c45..adc7c53 100644 --- a/clientdocs/sweep-receipt.txt +++ b/clientdocs/sweep-receipt.txt @@ -9,26 +9,26 @@ # Repo lint fails when any pinned file drifts, until clientdocs/ has been # reviewed for staleness and this receipt is re-recorded with: # bash scripts/repo-lint.sh --record-clientdocs-sweep -b6bedcf304a571be8e5246b210537db3007b271476f694e26601f32812e4559f clientdocs/README.md -9db7eddf7a63dd1855639bbe6657f56d2064316bcc26a229dd43489a1a2c7e9d clientdocs/acceptance-checklist.md +510222d55997d1729c5621dbf409d46b8d1a1bbd37c8bd6a1b04ed323bc01ac2 clientdocs/README.md +b402dda98d3fe63f9b8a6b2798b86dc0c41a8e9348cdc197f32265c1e7267289 clientdocs/acceptance-checklist.md 30c46fd7644637c0a929bfdd195c451dff8cd0df6785cccf3a304a8422b82711 clientdocs/ai-assistant-guide.md ae51da963d4d3704e6a1bd8613a243616ac22c0b973833b31f1bd22a40f3c66e clientdocs/ci-integration-guide.md 60c890b551e0a16d8d249fc809e2b561d44c6ec6121bf8a20f21e5fe6e2e9c60 clientdocs/handover-pack.md 3f08eb458bcbb36172a5ca2785a6ec72a69a4f8cd440fec53ed604f074b1b8c6 clientdocs/intake-form.md 96a077bb2e5732a0443683755bcefa044a603fe323024ca887165177e05c390b clientdocs/scripts/Jenkinsfile.example -4d63def4b32566507e5bc1da21670fcfe7622f0927d4886b179e17cbaac5690a clientdocs/scripts/acceptance-run.sh +1955db5d789a2e48d9054e307fbec2678efc1fbafda18103caa389cb896701fd clientdocs/scripts/acceptance-run.sh c2a2ff7ad719cb5866b1b58f5ca2cac930ccc99b96efaf8a3f12301d645727d3 clientdocs/scripts/ci-cleanup-sweep.sh d45eb3738d7fb2742ea1a3abb5af464df8a96bfd4e6c2f56b7182b42f997b289 clientdocs/scripts/clouds.yaml.template 3dd17ab9e95d99bea0c9f36a2662e77d25ea9d691f8c60d1d314f237c7c3f655 clientdocs/scripts/smoke-test.sh 7667bb1d2ff1e315f8ecaa2b4f680d04978a79ceeeb8cc3f5e16de2b295b2205 clientdocs/scripts/tenancy-audit.sh -092dde4720e81aab0aa7e3fdc4f8523799bd5395f3964afa1022b343e068ebd3 clientdocs/self-service-guide.md +f20aaadc560af4af558e3e70b228c342dd38b1632108ff276cbba46178b57f9a clientdocs/self-service-guide.md 7644e527b6ce66804fa9e08315e51e06159a8feb525a8b7d1b8c9edf23e4a86a clientdocs/tenant-skill/SKILL.md c7708c35d1d5fceab763268f6a10ed214e23e9458018b115cb944b6a3168f182 clientdocs/tenant-skill/references/ci-automation.md -a92e77ea77b572104831a39d83e85f2dfad10293f159f1930bb548e3f1cecee3 clientdocs/tenant-skill/references/day2-operations.md +22e7ec9c16bc66fcd64264ee2fb9bd2f12076594d7702ffd94bff0f00ddc7713 clientdocs/tenant-skill/references/day2-operations.md 69bd29f8c20d6a57cc5240e0fed6e8f5022683bf3ea687e74c761552993468a4 clientdocs/tenant-skill/references/kubernetes.md -d1a01b19650efb0caf14a992590b7606da3ddf76820a613096a296c6a5e2fd6d clientdocs/tenant-skill/references/troubleshooting.md +b844e00610df813275779320a13ecc131525a89b052bd5c8ab522d7666eb4fad clientdocs/tenant-skill/references/troubleshooting.md 2135f05ccdd411ce707bc6ec54c61040284259142b4b388c0c94cae5f6e7efcb clientdocs/welcome.md -04c0a08df9168448740514ae9763968eb7ea706cef58533c51c7448a5b0329c3 docs/tenant-onboarding-contract.md +e00900e6d08d19c195edee6cab5d8198295a35371cd6333a50ca5ad28940b129 docs/tenant-onboarding-contract.md 64f99b638a1855b02180e907c9535db8bddc5847a502759a9e0d63c513b63077 policies/domain-manager-policy.yaml 02fe1fd7fcf07bfc6088622d4aa8430da53e435d60006d0b81f6b9c2e720a011 policies/overrides.zip 30919b61b2b79b33a853a29bc814558d7e0e940a3040b2f7710ea9a14333b71a runbooks/appendix-C-identity-rbac.md diff --git a/clientdocs/tenant-skill/references/day2-operations.md b/clientdocs/tenant-skill/references/day2-operations.md index cca2405..ed4dff1 100644 --- a/clientdocs/tenant-skill/references/day2-operations.md +++ b/clientdocs/tenant-skill/references/day2-operations.md @@ -139,6 +139,10 @@ ## Team users (as `-domain-admin` -- the ONLY job for that account) +These commands are the supported path for identity work today: the +dashboard, signed in as `-domain-admin`, shows the Identity section +only and does not offer user creation. + openstack user create --domain {{TENANT_SHORT_NAME}} --password-prompt openstack role add --user --user-domain {{TENANT_SHORT_NAME}} \ --project {{TENANT_SHORT_NAME}}-prod member diff --git a/clientdocs/tenant-skill/references/troubleshooting.md b/clientdocs/tenant-skill/references/troubleshooting.md index d602b32..b10a2b7 100644 --- a/clientdocs/tenant-skill/references/troubleshooting.md +++ b/clientdocs/tenant-skill/references/troubleshooting.md @@ -75,9 +75,18 @@ ERROR. - Cluster build running for tens of minutes: normal. Only escalate on a FAILED status. +- Three error popups at dashboard login as `-domain-admin` ("Unable + to retrieve usage information", "Unable to retrieve compute limit + information", "local variable 'limits' referenced before + assignment"): normal for this account and harmless -- it runs no + workloads, so the compute overview has nothing to show it. Dismiss + them. They do not appear for the `-cluster` or `-svc` logins. - Dashboard refuses an identity action that `-domain-admin` should be - able to do: use the CLI for that step (the API has the full - capability set) and mention it to {{ACCOUNT_CONTACT}}. + able to do: expected today -- as `-domain-admin` the dashboard shows + the Identity section only, without user creation. Use the CLI for + that step (the API has the full capability set; the user-create + commands are in `references/day2-operations.md`); mention anything + beyond that known limitation to {{ACCOUNT_CONTACT}}. - SSH to a new VM times out: check (in order) the security group allows TCP/22 from your source range, the floating IP is attached, and you are using the right private key for diff --git a/docs/session-ledger.md b/docs/session-ledger.md index 4ed7664..975c564 100644 --- a/docs/session-ledger.md +++ b/docs/session-ledger.md @@ -295,12 +295,28 @@ (guard correctly blocks agent access to ~/vault-init); (b) deliver ~/devteam-package + the ~/tenant-devteam credential files in-person to the two named custodians. -2. **Operator manual item:** foil1 Horizon checks (contract 5.1/5.3) -- - domain-admin login + GUI probe-user create/delete; non-blocking. - devteam 5.1 reachability CONFIRMED 2026-07-07 (operator browser, - /horizon login page); devteam/foil1 5.3 GUI probe still open, plus one - operator re-browse of the httpS VIP ROOT to confirm the D-075 redirect - on the TLS leg (http leg verified from jumphost). +2. **Horizon contract checks: CLOSED for devteam (2026-07-07 full + three-account walkthrough, addendum 38).** 5.1 VERIFIED (login + + Identity-only view + expected popups); 5.3 verdict: GUI identity probe + FAILS as the contract anticipated -- CLOSED via the CLI-path clause + (DOCFIX-120 contract amendment); D-075 TLS-leg redirect CONFIRMED + (operator browser). Isolation, keypair asymmetry, per-user app-cred + visibility, and OBJECT STORAGE (container create/delete -- first live + proof, closes the acceptance-checklist caveat) all verified in-GUI. + foil1's own 5.1/5.3 rows: surface now proven on devteam; operator may + run or waive foil1's pass (non-blocking either way). +2c. **Dashboard policy override (GUI identity for manager persona): + first live apply FAILED acceptance + REVERTED 2026-07-07; rework IN + FLIGHT (background agent, worktree).** Zip mechanics + PO: activation + worked; panels rendered but page-level checks refused (Domains/ + Projects/Users/Groups "not authorized"); Roles panel popped two errors + then FORCED LOGOUT. Reverted to baseline in one config cycle + (operator-confirmed). Decision draft stays PROPOSED (uncommitted, + agent worktree; next-free D claimed at commit). Next: agent rework + (per-view rule/target mapping, logout root cause, scope-down to + Users+Projects, offline per-view semantic tests), then a second gated + apply in a later window. Clients are unaffected: CLI identity path is + the documented behavior. 2b. **D-075 RULED (option c) + EXECUTED 2026-07-07** (was: root-autoindex finding): redirect / -> /horizon + Options -Indexes via conf-enabled/99-omega-root.conf on the dashboard unit. First attempt @@ -325,6 +341,19 @@ addenda 27-33 (its backlog items 6/7/8 delivered here; its Verify-live queue fully cleared; D-050/D-073/D-074 all resolved). +- **Horizon three-account walkthrough + docs alignment (2026-07-07 cont., + addendum 38):** operator live-tested all three devteam accounts in the + GUI; every observation contract-correct (details in item 2 above). + DOCFIX-119: clientdocs aligned to observed GUI reality (5 files by + background docs agent -- first-login expectations, CLI user-creation + commands, popup signatures, object-storage row de-hedged + acceptance + script aligned; harnesses 8/8 + 47/47; L7 receipt re-recorded) + README + instantiation guidance (DASHBOARD_URL includes webroot). DOCFIX-120: + contract section 5 amended with live verdicts (5.1 verified; 5.3 + closed-by-CLI-clause; stage-7 canary marked IMPLEMENTED). Package + RE-INSTANTIATED to ~/devteam-package from updated templates (incl. + /horizon URL); OPERATOR: re-copy to local + deliver. Dashboard + override attempt/revert logged in item 2c. - **devteam intake + quota + pack instantiation (2026-07-07 cont., addendum 35):** intake walkthrough with operator (7 sections; CIDR + short name pre-settled by rulings); quota set devteam-prod 10/20/51200 diff --git a/docs/tenant-onboarding-contract.md b/docs/tenant-onboarding-contract.md index 21ec5b9..15dc33f 100644 --- a/docs/tenant-onboarding-contract.md +++ b/docs/tenant-onboarding-contract.md @@ -91,16 +91,27 @@ ## 5. Onboarding confirmation set ("access confirmed" means all of these) 1. **Horizon login** as `-domain-admin`, domain-scoped -- at onboarding. + VERIFIED LIVE 2026-07-07 (devteam, full three-account walkthrough): login + succeeds; the dashboard shows the Identity section only; three error popups + at login (compute usage/limits 403s + a cosmetic follow-on) are EXPECTED for + this no-project-scope persona and are documented client-side. 2. **API/CLI auth** for all three identities (the script asserts a token per identity inline at each stage). 3. **Horizon identity self-service probe** -- manager creates and deletes a probe user - via the GUI. VERIFY-LIVE: Horizon has its own policy layer and the GUI path for - manager-role identity ops is historically the weak point; if it fails, the - contract documents CLI as the identity path until fixed. + via the GUI. VERDICT (live 2026-07-07): FAILS as anticipated -- Horizon enforces + its own local policy copies, which predate the manager persona: no Users panel, + empty Projects list. Per this clause, CLI IS the documented identity path (client + docs updated accordingly; the API capability itself is live-proven by stage 2). + A dashboard-charm policy override is under investigation (see the dashboard + policy override decision draft); its first live apply was reverted -- panels + rendered but page-level checks refused, and the Roles panel triggered a session + logout. Until a revised override passes the browser acceptance walk, this item + is closed by the CLI-path clause, not open. 4. **Tenant access-proof (the "SSH access" confirmation)**: boot a canary instance on the tenant network, attach a FIP, SSH in with the tenant keypair, tear down. Proves end-to-end that the tenant can reach workloads inside their domain. - PROPOSED as an optional stage-7 / first acceptance item -- not yet implemented. + IMPLEMENTED as onboarding stage 7 (explicit-only canary); executed live for + foil1 and devteam. ## 6. Hardening against technician knowledge gaps diff --git a/docs/v1-redeploy-changelog.md b/docs/v1-redeploy-changelog.md index c7e4329..980e569 100644 --- a/docs/v1-redeploy-changelog.md +++ b/docs/v1-redeploy-changelog.md @@ -2812,3 +2812,51 @@ REVERT: on-unit `sudo a2disconf 99-omega-root && sudo systemctl reload apache2`; git checkout HEAD~ -- docs/design-decisions.md runbooks/phase-03-core-verify.md runbooks/appendix-A-troubleshooting.md docs/session-ledger.md docs/v1-redeploy-changelog.md Next-free after this push (per scan, keep this line unwrapped): D-076, DOCFIX-119, BUNDLEFIX-012. + +### 2026-07-07 (addendum 38, jumphost stream) -- Horizon three-account walkthrough (contract live evidence); DOCFIX-119/120; dashboard override first apply REVERTED + +Operator-driven browser walkthrough of all three devteam accounts -- the first +live execution of the contract section-5 confirmation set. Same logged window. + +- **Walkthrough verdicts (all contract-correct):** `-domain-admin`: login OK, + Identity-only view, three popups = correct nova refusals + one cosmetic + upstream wart; Users panel ABSENT + Projects empty = the VERIFY-LIVE weak + point confirmed (Horizon local policy predates the manager persona). + `-cluster`: popup-free full project view; keypair visible; tenant + shared + resources only -- GUI isolation confirmed. `-svc`: as `-cluster` but keypair + page empty (user-scoped asymmetry as documented) and its app cred visible. + **Object storage: container create/delete succeeded as `-cluster` -- FIRST + live proof of tenant radosgw; the acceptance-checklist "confirm-first" + caveat is closed by evidence.** D-075 TLS-leg redirect also confirmed. +- **DOCFIX-119 -- clientdocs aligned to observed GUI reality** (drafted by a + background agent in a worktree from live findings, reviewed + integrated): + self-service-guide "What to expect on first login" + CLI user-creation + commands; tenant-skill troubleshooting popup signatures + expected-today + identity rewording; day2-operations CLI lead-in; acceptance-checklist A3 + popup note, section-B CLI note, section I de-hedged to expected-pass; + acceptance-run.sh manual-row instructions aligned (no behavior change). + Gates: clientdocs-skill 8/8, clientdocs-scripts 47/47, L7 receipt + re-recorded after review. Plus README instantiation guidance: + DASHBOARD_URL is the FULL URL incl. webroot (the addendum-36 lesson). +- **DOCFIX-120 -- contract section 5 live verdicts:** 5.1 VERIFIED (devteam); + 5.3 FAILS-as-anticipated, CLOSED via its own CLI-path clause (API + capability live-proven by stage 2); item 4 canary marked IMPLEMENTED as + stage 7 (was stale "not yet implemented"). +- **Dashboard policy override -- first live apply FAILED acceptance, + REVERTED (evidence for the PROPOSED decision draft, next-free D claimed + at its commit):** background agent drafted a 10-rule identity override + (worktree, harness 14/14); gated apply: attach + enable -> "PO: Unit is + ready". Browser walk FAILED: panels rendered (panel-gate fix effective) + but Domains/Projects/Users/Groups pages refused at view level; Roles + panel raised two popups then FORCED SESSION LOGOUT. Reverted + (use-policyd-override=false); baseline re-confirmed by operator. Rework + in flight: per-view rule/target mapping, logout root cause, scope-down + to Users+Projects, offline per-view semantic tests. Client impact: none + (CLI identity path is the documented behavior). +- **Package:** ~/devteam-package re-instantiated from the updated templates + (all 9 values incl. the /horizon URL; operator CA copy preserved); + operator re-copies + delivers. +- Numbers consumed: DOCFIX-119, DOCFIX-120. +REVERT: git checkout HEAD~ -- clientdocs docs/tenant-onboarding-contract.md docs/session-ledger.md docs/v1-redeploy-changelog.md; then bash scripts/repo-lint.sh --record-clientdocs-sweep (re-pin the receipt); cloud-side already reverted in-window. + +Next-free after this push (per scan, keep this line unwrapped): D-076, DOCFIX-121, BUNDLEFIX-012.