← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1305606] Re: User with "Member" role should be able to execute user-get api

 

This is partially "Won't Fix" (because `keystone user-get` calls v2
which does not take advantage of etc/policy.json), and partially
"Invalid." (because `openstack user get --identity-api-version=3` can
use v3, and the v3 implementation of this call already utilizes
etc/policy.json, where you can authorize whatever roles you'd like to
make this call).

** Changed in: keystone
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1305606

Title:
  User with  "Member" role  should be able to execute user-get api

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  User demo (MEMBER role) cannot execute user-get (GET /v2.0/users/demo
  HTTP/1.1" 403)

  source openrc demo demo
  keystone user-get demo 
  You are not authorized to perform the requested action, admin_required. (HTTP 403)

  But user with admin role in tenant can check his details.
  Also the extra field in user is not fetched after making the GET call

  source openrc admin demo
  devstack$ keystone user-get demo 
  +----------+----------------------------------+
  | Property |              Value               |
  +----------+----------------------------------+
  |  email   |         demo@xxxxxxxxxxx         |
  | enabled  |               True               |
  |    id    | bd5d9664372b4c88bb7aef77b8f45310 |
  |   name   |               demo               |
  | tenantId | a04ed8cef5ff49058647a1ae517ef21e |
  | username |               demo               |
  +----------+----------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1305606/+subscriptions


References