← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #15413

[Bug 1328052] [NEW] Using the v3cloudsample policy file, project admins can't administer users

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Project admins should be allowed to create, list, edit and delete users
in their domains. Here is the rule from the v3cloudsample policy file:

    "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
    "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
    "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
    "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
    "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",

However when I try it I get a "forbidden" error, and I can only use
credentials of an admin on the domain to perform these actions. To
recreate:

1) Authenticate as the cloud admin
2) Create a domain
3) Create a user in the new domain and give it the "admin" role on the domain
4) Authenticate as the domain admin
5) Create a project in the domain
6) Create a user and give it the "admin" role on the project
7) Authenticate as the project admin
8) Try to create more users for your project, or edit/delete users in your project

=> forbidden

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1328052

Title:
  Using the v3cloudsample policy file, project admins can't administer
  users

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Project admins should be allowed to create, list, edit and delete
  users in their domains. Here is the rule from the v3cloudsample policy
  file:

      "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
      "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
      "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
      "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
      "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
      "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
      "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",

  However when I try it I get a "forbidden" error, and I can only use
  credentials of an admin on the domain to perform these actions. To
  recreate:

  1) Authenticate as the cloud admin
  2) Create a domain
  3) Create a user in the new domain and give it the "admin" role on the domain
  4) Authenticate as the domain admin
  5) Create a project in the domain
  6) Create a user and give it the "admin" role on the project
  7) Authenticate as the project admin
  8) Try to create more users for your project, or edit/delete users in your project

  => forbidden

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1328052/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next