yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1338550] Re: V3 API project/user/group list only work with domain scoped token

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1338550@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Jul 2014 16:33:41 -0000
Reply-to: Bug 1338550 <1338550@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This is by design. Project, user and group collections are owned by the
domain, and therefore the policy requires domain-level authorization to
administer those collections.

** Changed in: keystone
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1338550

Title:
  V3 API project/user/group list  only work with domain scoped token

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  From the policy.json of the V3 API:

      "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
      "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s",
      ...
      "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",

  This specify that if an admin user of a domain ask for GET
  /v3/users?domain_id=<domain-id> then this later will only work if
  token was scoped in this domain but not if it was scoped in a project
  in that domain.

  A patch is coming soon that hopefully will clarify more.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1338550/+subscriptions

References

[Bug 1338550] [NEW] V3 API project/user/group list only work with domain scoped token
From: mouadino, 2014-07-07