yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #33819
[Bug 1466116] [NEW] With using V3 cloud admin policy, domain admin cannot issue a token for the project in his domain
Public bug reported:
With v3 cloud admin policy file, use can be assigned to admin role in a
specific domain, and there would be multiple projects in that domain,
the user should have full access to this domain, but when we tried to
issue a token scoped to the project in that domain we will get some
exception as follow:
$ openstack token issue
ERROR: openstack User 072afe1ba1154d089b3c7a0952ba188b has no access to project e221bf92b65e435a9ef665f7aa681528 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4db81144-d0bf-4edb-9027-5bfb106ed160)
Here is configuration in my env.
user name is cloud_admin
mysql> select id, name from user where id = '072afe1ba1154d089b3c7a0952ba188b';
+----------------------------------+-------------+
| id | name |
+----------------------------------+-------------+
| 072afe1ba1154d089b3c7a0952ba188b | cloud_admin |
+----------------------------------+-------------+
user cloud_admin has the admin role in the domain `admin_domain`
mysql> select role.name, assignment.target_id from role, assignment where assignment.actor_id = '072afe1ba1154d089b3c7a0952ba188b' and assignment.role_id = role.id;
+-------+----------------------------------+
| name | target_id |
+-------+----------------------------------+
| admin | b792bb2101254aaebd11694cc99c89be |
+-------+----------------------------------+
mysql> select * from domain where id = 'b792bb2101254aaebd11694cc99c89be';
+----------------------------------+--------------+---------+-------+
| id | name | enabled | extra |
+----------------------------------+--------------+---------+-------+
| b792bb2101254aaebd11694cc99c89be | admin_domain | 1 | {} |
+----------------------------------+--------------+---------+-------+
1 row in set (0.00 sec)
project: e221bf92b65e435a9ef665f7aa681528 (admin_project) is associated with the admin_domain.
mysql> select project.id as project_id, project.name as project_name, domain.name as domain_name from project, domain where project.id = 'e221bf92b65e435a9ef665f7aa681528' and project.domain_id = domain.id;
+----------------------------------+---------------+--------------+
| project_id | project_name | domain_name |
+----------------------------------+---------------+--------------+
| e221bf92b65e435a9ef665f7aa681528 | admin_project | admin_domain |
+----------------------------------+---------------+--------------+
This may be somehow duplicated with this bug:
https://bugs.launchpad.net/keystone/+bug/1437407, some experts in this
area can help to triage or confirm it.
** Affects: keystone
Importance: Undecided
Assignee: Dave Chen (wei-d-chen)
Status: New
** Changed in: keystone
Assignee: (unassigned) => Dave Chen (wei-d-chen)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1466116
Title:
With using V3 cloud admin policy, domain admin cannot issue a token
for the project in his domain
Status in OpenStack Identity (Keystone):
New
Bug description:
With v3 cloud admin policy file, use can be assigned to admin role in
a specific domain, and there would be multiple projects in that
domain, the user should have full access to this domain, but when we
tried to issue a token scoped to the project in that domain we will
get some exception as follow:
$ openstack token issue
ERROR: openstack User 072afe1ba1154d089b3c7a0952ba188b has no access to project e221bf92b65e435a9ef665f7aa681528 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4db81144-d0bf-4edb-9027-5bfb106ed160)
Here is configuration in my env.
user name is cloud_admin
mysql> select id, name from user where id = '072afe1ba1154d089b3c7a0952ba188b';
+----------------------------------+-------------+
| id | name |
+----------------------------------+-------------+
| 072afe1ba1154d089b3c7a0952ba188b | cloud_admin |
+----------------------------------+-------------+
user cloud_admin has the admin role in the domain `admin_domain`
mysql> select role.name, assignment.target_id from role, assignment where assignment.actor_id = '072afe1ba1154d089b3c7a0952ba188b' and assignment.role_id = role.id;
+-------+----------------------------------+
| name | target_id |
+-------+----------------------------------+
| admin | b792bb2101254aaebd11694cc99c89be |
+-------+----------------------------------+
mysql> select * from domain where id = 'b792bb2101254aaebd11694cc99c89be';
+----------------------------------+--------------+---------+-------+
| id | name | enabled | extra |
+----------------------------------+--------------+---------+-------+
| b792bb2101254aaebd11694cc99c89be | admin_domain | 1 | {} |
+----------------------------------+--------------+---------+-------+
1 row in set (0.00 sec)
project: e221bf92b65e435a9ef665f7aa681528 (admin_project) is associated with the admin_domain.
mysql> select project.id as project_id, project.name as project_name, domain.name as domain_name from project, domain where project.id = 'e221bf92b65e435a9ef665f7aa681528' and project.domain_id = domain.id;
+----------------------------------+---------------+--------------+
| project_id | project_name | domain_name |
+----------------------------------+---------------+--------------+
| e221bf92b65e435a9ef665f7aa681528 | admin_project | admin_domain |
+----------------------------------+---------------+--------------+
This may be somehow duplicated with this bug:
https://bugs.launchpad.net/keystone/+bug/1437407, some experts in this
area can help to triage or confirm it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1466116/+subscriptions
Follow ups
References
