yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1328052] Re: Using the v3cloudsample policy file, project admins can't administer users

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ajaya Agrawal <ajku.agr@xxxxxxxxx>
Date: Mon, 09 Jun 2014 12:16:31 -0000
Reply-to: Bug 1328052 <1328052@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I don't think you should report this as a bug. V3cloudsample policy file
is just for a reference. You could easily modify it to meet your needs.
For e.g. you could do:

"project_admin_required": "role:admin and project_id:%(target.user.default_project_id)s "
"identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id or rule: project_admin_required",
"identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule: project_admin_required",
"identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule: project_admin_required"

Caution: The above rules work when you assign a default project while
creating the user.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1328052

Title:
  Using the v3cloudsample policy file, project admins can't administer
  users

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  Project admins should be allowed to create, list, edit and delete
  users in their domains. Here is the rule from the v3cloudsample policy
  file:

      "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
      "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
      "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
      "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
      "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
      "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
      "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",

  However when I try it I get a "forbidden" error, and I can only use
  credentials of an admin on the domain to perform these actions. To
  recreate:

  1) Authenticate as the cloud admin
  2) Create a domain
  3) Create a user in the new domain and give it the "admin" role on the domain
  4) Authenticate as the domain admin
  5) Create a project in the domain
  6) Create a user and give it the "admin" role on the project
  7) Authenticate as the project admin
  8) Try to create more users for your project, or edit/delete users in your project

  => forbidden

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1328052/+subscriptions

References

[Bug 1328052] [NEW] Using the v3cloudsample policy file, project admins can't administer users
From: Udi Kalifon, 2014-06-09