yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #28048
[Bug 1418702] [NEW] Project admin fails to list role assignments for his project with Project Scoped Token
Public bug reported:
I am facing issues listing role assignments as project administrator
with project scoped token.
OS_AUTH_URL=http://10.0.2.15:35357/v3
OS_USERNAME=user-a
OS_PASSWORD=password
OS_USER_DOMAIN_NAME=domain-a
OS_PROJECT_NAME=project-a
OS_PROJECT_DOMAIN_NAME=domain-a
OS_IDENTITY_API_VERSION=3
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) (HTTP 403)
Log messages from Keystone log file:
[Thu Feb 05 19:16:00 2015] [error] Rule Method
[Thu Feb 05 19:16:00 2015] [error] (rule:cloud_admin or rule:admin_and_matching_target_project_domain_id)
[Thu Feb 05 19:16:00 2015] [error] Rule
[Thu Feb 05 19:16:00 2015] [error] identity:get_project
[Thu Feb 05 19:16:00 2015] [error] Target
[Thu Feb 05 19:16:00 2015] [error] {'target.project.name': u'project-a', 'target.project.description': u'', 'target.project.enabled': True, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'target.project.domain_id': u'b5da5584e14148f7a305e0f22a9b3a2c', 'target.project.id': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb86801f80>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb862d1090>
[Thu Feb 05 19:16:00 2015] [error] 19584 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:get_project (Disable debug mode to suppress these details.)
....
[Thu Feb 05 19:16:00 2015] [error] ***Rule Method
[Thu Feb 05 19:16:00 2015] [error] ((rule:admin_required and domain_id:%(domain_id)s) or rule:cloud_admin)
[Thu Feb 05 19:16:00 2015] [error] ***Rule
[Thu Feb 05 19:16:00 2015] [error] identity:list_projects
[Thu Feb 05 19:16:00 2015] [error] ***Target
[Thu Feb 05 19:16:00 2015] [error] {'name': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] ***Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb867b92b0>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb86742f90>
[Thu Feb 05 19:16:00 2015] [error] 19586 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.)
The issue is project admin in default policy file (policy.v3cloudsample.json) does not have access to get details of his project. Due to this, keystone assumes that the project does not exist, and tries to get the project listing which again fails.
I updated default policy file and letting project administrators get the project details.
Updating:
"identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id”,
To:
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
"admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s”,
With this change:
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 2a736f40308b4486b8006d09a8213620 | 77194b22fb6e4ac2839c1d93c46e82fd | | 7c305333795944e48b54874c911c1c2b | |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
** Affects: keystone
Importance: Undecided
Assignee: Priti Desai (priti-desai)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Priti Desai (priti-desai)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1418702
Title:
Project admin fails to list role assignments for his project with
Project Scoped Token
Status in OpenStack Identity (Keystone):
New
Bug description:
I am facing issues listing role assignments as project administrator
with project scoped token.
OS_AUTH_URL=http://10.0.2.15:35357/v3
OS_USERNAME=user-a
OS_PASSWORD=password
OS_USER_DOMAIN_NAME=domain-a
OS_PROJECT_NAME=project-a
OS_PROJECT_DOMAIN_NAME=domain-a
OS_IDENTITY_API_VERSION=3
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) (HTTP 403)
Log messages from Keystone log file:
[Thu Feb 05 19:16:00 2015] [error] Rule Method
[Thu Feb 05 19:16:00 2015] [error] (rule:cloud_admin or rule:admin_and_matching_target_project_domain_id)
[Thu Feb 05 19:16:00 2015] [error] Rule
[Thu Feb 05 19:16:00 2015] [error] identity:get_project
[Thu Feb 05 19:16:00 2015] [error] Target
[Thu Feb 05 19:16:00 2015] [error] {'target.project.name': u'project-a', 'target.project.description': u'', 'target.project.enabled': True, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'target.project.domain_id': u'b5da5584e14148f7a305e0f22a9b3a2c', 'target.project.id': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb86801f80>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb862d1090>
[Thu Feb 05 19:16:00 2015] [error] 19584 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:get_project (Disable debug mode to suppress these details.)
....
[Thu Feb 05 19:16:00 2015] [error] ***Rule Method
[Thu Feb 05 19:16:00 2015] [error] ((rule:admin_required and domain_id:%(domain_id)s) or rule:cloud_admin)
[Thu Feb 05 19:16:00 2015] [error] ***Rule
[Thu Feb 05 19:16:00 2015] [error] identity:list_projects
[Thu Feb 05 19:16:00 2015] [error] ***Target
[Thu Feb 05 19:16:00 2015] [error] {'name': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] ***Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb867b92b0>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb86742f90>
[Thu Feb 05 19:16:00 2015] [error] 19586 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.)
The issue is project admin in default policy file (policy.v3cloudsample.json) does not have access to get details of his project. Due to this, keystone assumes that the project does not exist, and tries to get the project listing which again fails.
I updated default policy file and letting project administrators get the project details.
Updating:
"identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id”,
To:
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
"admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s”,
With this change:
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 2a736f40308b4486b8006d09a8213620 | 77194b22fb6e4ac2839c1d93c46e82fd | | 7c305333795944e48b54874c911c1c2b | |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1418702/+subscriptions
Follow ups
References
