← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1267187] [NEW] Keystone policy.v3cloudsample.json doesn't allow proper resources management

 

Public bug reported:

When using the current `̀ etc/policy.v3cloudsample.json`` file as
Keystone's ``/etc/keystone/policy.json`` file (with `̀
admin_domain_id`` properly configured), the following issues arise:

* The cloud_admin user cannot manage users in other domains that the `̀
  cloud`` domain. For instance, once the cloud_admin created a brand
  new domain, he cannot create a user in this domain.

* The cloud_admin cannot manage roles on other domains that the `̀
  cloud`̀  domain. For instance, if the cloud_admin managed to create a
  domain and a user in this new domain, he cannot grant the `admin`
  role on the domain to this new user.

* A domain administrator (user with the ``admin`` role on the domain)
  cannot manage roles on projects in its own domain. For instance, a
  domain administrator can create a project and a user in his domain,
  but he cannot grant the Member role on the project to the new user.

With the following additional rules, one would have an operational
Identity v3 API enabled setting:

* The cloud_admin should be allowed to manage users in any domain.

* The cloud_admin should be allowed to manage roles on any domain.

* Domain administrators should be allowed to manage roles on any
  project in their own domain.

** Affects: keystone
     Importance: Undecided
     Assignee: Florent Flament (florent-flament-ext)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Florent Flament (florent-flament-ext)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1267187

Title:
  Keystone policy.v3cloudsample.json doesn't allow proper resources
  management

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  When using the current `̀ etc/policy.v3cloudsample.json`` file as
  Keystone's ``/etc/keystone/policy.json`` file (with `̀
  admin_domain_id`` properly configured), the following issues arise:

  * The cloud_admin user cannot manage users in other domains that the `̀
    cloud`` domain. For instance, once the cloud_admin created a brand
    new domain, he cannot create a user in this domain.

  * The cloud_admin cannot manage roles on other domains that the `̀
    cloud`̀  domain. For instance, if the cloud_admin managed to create a
    domain and a user in this new domain, he cannot grant the `admin`
    role on the domain to this new user.

  * A domain administrator (user with the ``admin`` role on the domain)
    cannot manage roles on projects in its own domain. For instance, a
    domain administrator can create a project and a user in his domain,
    but he cannot grant the Member role on the project to the new user.

  With the following additional rules, one would have an operational
  Identity v3 API enabled setting:

  * The cloud_admin should be allowed to manage users in any domain.

  * The cloud_admin should be allowed to manage roles on any domain.

  * Domain administrators should be allowed to manage roles on any
    project in their own domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1267187/+subscriptions


Follow ups

References