yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #13690
[Bug 1305606] Re: User with "Member" role should be able to execute user-get api
This is partially "Won't Fix" (because `keystone user-get` calls v2
which does not take advantage of etc/policy.json), and partially
"Invalid." (because `openstack user get --identity-api-version=3` can
use v3, and the v3 implementation of this call already utilizes
etc/policy.json, where you can authorize whatever roles you'd like to
make this call).
** Changed in: keystone
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1305606
Title:
User with "Member" role should be able to execute user-get api
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
User demo (MEMBER role) cannot execute user-get (GET /v2.0/users/demo
HTTP/1.1" 403)
source openrc demo demo
keystone user-get demo
You are not authorized to perform the requested action, admin_required. (HTTP 403)
But user with admin role in tenant can check his details.
Also the extra field in user is not fetched after making the GET call
source openrc admin demo
devstack$ keystone user-get demo
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | demo@xxxxxxxxxxx |
| enabled | True |
| id | bd5d9664372b4c88bb7aef77b8f45310 |
| name | demo |
| tenantId | a04ed8cef5ff49058647a1ae517ef21e |
| username | demo |
+----------+----------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1305606/+subscriptions
References