← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #33883

[Bug 1466116] Re: With using V3 cloud admin policy, domain admin cannot issue a token for the project in his domain

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1466116

Title:
  With using V3 cloud admin policy, domain admin cannot issue a token
  for the project in his domain

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  With v3 cloud admin policy file, use can be assigned to admin role in
  a specific domain, and there would be multiple projects in that
  domain, the user should have full access to this domain, but when we
  tried to issue a token scoped to the project in that domain we will
  get some exception as follow:

  $ openstack token issue
  ERROR: openstack User 072afe1ba1154d089b3c7a0952ba188b has no access to project e221bf92b65e435a9ef665f7aa681528 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-4db81144-d0bf-4edb-9027-5bfb106ed160)

  Here is configuration in my env.

  user name is cloud_admin
  mysql> select id, name from user where id = '072afe1ba1154d089b3c7a0952ba188b';
  +----------------------------------+-------------+
  | id                               | name        |
  +----------------------------------+-------------+
  | 072afe1ba1154d089b3c7a0952ba188b | cloud_admin |
  +----------------------------------+-------------+

  user cloud_admin has the admin role in the domain `admin_domain`
  mysql> select role.name, assignment.target_id from role, assignment where assignment.actor_id = '072afe1ba1154d089b3c7a0952ba188b' and assignment.role_id = role.id;
  +-------+----------------------------------+
  | name  | target_id                        |
  +-------+----------------------------------+
  | admin | b792bb2101254aaebd11694cc99c89be |
  +-------+----------------------------------+

  mysql> select * from domain where id = 'b792bb2101254aaebd11694cc99c89be';
  +----------------------------------+--------------+---------+-------+
  | id                               | name         | enabled | extra |
  +----------------------------------+--------------+---------+-------+
  | b792bb2101254aaebd11694cc99c89be | admin_domain |       1 | {}    |
  +----------------------------------+--------------+---------+-------+
  1 row in set (0.00 sec)


  project: e221bf92b65e435a9ef665f7aa681528 (admin_project) is associated with the admin_domain.
  mysql> select project.id as project_id, project.name as project_name, domain.name as domain_name from project, domain where project.id = 'e221bf92b65e435a9ef665f7aa681528' and project.domain_id = domain.id;
  +----------------------------------+---------------+--------------+
  | project_id                       | project_name  | domain_name  |
  +----------------------------------+---------------+--------------+
  | e221bf92b65e435a9ef665f7aa681528 | admin_project | admin_domain |
  +----------------------------------+---------------+--------------+

  This may be somehow duplicated with this bug:
  https://bugs.launchpad.net/keystone/+bug/1437407, some experts in this
  area can help to triage or confirm it.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1466116/+subscriptions

References

  Thread PreviousDate PreviousThread Next