yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1454531] [NEW] list_user_projects() can't get filtered by 'domain_id'.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: DWang <darren_wang@xxxxxxxxxxx>
Date: Wed, 13 May 2015 07:58:53 -0000
Reply-to: Bug 1454531 <1454531@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Here is our use case, we want our tenant domain admin(e.g., Bob) to have
this capability: Bob(domain-scoped) can list the projects that one user
has roles on, and the projects Bob get should only belong to Bob's
scoping domain.

When we  read the rule in policy.v3cloudsample.json for "identity:list_user_projects", we are happy it's the same as what we want:
{...
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
...}

I thought we could use this API with query string 'domain_id', thus Bob
can and only can query projects in his scoping domain, but it doesn't
work, since the  @controller.filterprotected('enabled', 'name')  for
list_user_projects() exclude the possibility of taking 'domain_id' as a
query string even it's useful to us and recorded in the policy file.

** Affects: keystone
     Importance: Undecided
     Assignee: DWang (darren-wang)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => DWang (darren-wang)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1454531

Title:
  list_user_projects() can't get filtered by 'domain_id'.

Status in OpenStack Identity (Keystone):
  New

Bug description:
  Here is our use case, we want our tenant domain admin(e.g., Bob) to
  have this capability: Bob(domain-scoped) can list the projects that
  one user has roles on, and the projects Bob get should only belong to
  Bob's scoping domain.

  When we  read the rule in policy.v3cloudsample.json for "identity:list_user_projects", we are happy it's the same as what we want:
  {...
  "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
  "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
  ...}

  I thought we could use this API with query string 'domain_id', thus
  Bob can and only can query projects in his scoping domain, but it
  doesn't work, since the  @controller.filterprotected('enabled',
  'name')  for list_user_projects() exclude the possibility of taking
  'domain_id' as a query string even it's useful to us and recorded in
  the policy file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1454531/+subscriptions

Follow ups

[Bug 1454531] Re: list_user_projects() can't get filtered by 'domain_id'.
From: OpenStack Infra, 2016-03-08
[Bug 1454531] Re: list_user_projects() can't get filtered by 'domain_id'.
From: David Stanek, 2016-03-03
[Bug 1454531] Re: list_user_projects() can't get filtered by 'domain_id'.
From: Doug Hellmann, 2015-12-04
[Bug 1454531] [NEW] list_user_projects() can't get filtered by 'domain_id'.
From: DWang, 2015-05-13

References

[Bug 1454531] [NEW] list_user_projects() can't get filtered by 'domain_id'.
From: DWang, 2015-05-13