yahoo-eng-team team mailing list archive

[mouadino <1338550@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

>From the policy.json of the V3 API:

    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
    "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
    ...
    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",

This specify that if an admin user of a domain ask for GET /v3/users
/<domain-id>/ then this later will only work if token was scoped in the
this domain but not if it was scoped in a project in that domain.

A patch is coming soon that hopefully will clarify more.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1338550

Title:
  V3 API project/user/group list  only work with domain scoped token

Status in OpenStack Identity (Keystone):
  New

Bug description:
  From the policy.json of the V3 API:

      "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
      "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
      ...
      "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",

  This specify that if an admin user of a domain ask for GET /v3/users
  /<domain-id>/ then this later will only work if token was scoped in
  the this domain but not if it was scoped in a project in that domain.

  A patch is coming soon that hopefully will clarify more.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1338550/+subscriptions