yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #42991
[Bug 1418702] Re: Project admin fails to list role assignments for his project with Project Scoped Token
Reviewed: https://review.openstack.org/248892
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7f3158a6d4b5df78dfde9f281cf82dd6e4fe02f4
Submitter: Jenkins
Branch: master
commit 7f3158a6d4b5df78dfde9f281cf82dd6e4fe02f4
Author: Priti Desai <pdesai@xxxxxxxxxx>
Date: Mon Nov 23 11:59:07 2015 -0800
Fix for GET project by project admin
The issue is project admin in default policy file
(policy.v3cloudsample.json) does not have access to get details
of his project.
This change updates the default policy file to let project
administrators to retrieve their own project details.
Change-Id: I60995db12a90c8ce6090099dee79ed1e5ee5caed
Closes-Bug: 1418702
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1418702
Title:
Project admin fails to list role assignments for his project with
Project Scoped Token
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
I am facing issues listing role assignments as project administrator
with project scoped token.
OS_AUTH_URL=http://10.0.2.15:35357/v3
OS_USERNAME=user-a
OS_PASSWORD=password
OS_USER_DOMAIN_NAME=domain-a
OS_PROJECT_NAME=project-a
OS_PROJECT_DOMAIN_NAME=domain-a
OS_IDENTITY_API_VERSION=3
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) (HTTP 403)
Log messages from Keystone log file:
[Thu Feb 05 19:16:00 2015] [error] Rule Method
[Thu Feb 05 19:16:00 2015] [error] (rule:cloud_admin or rule:admin_and_matching_target_project_domain_id)
[Thu Feb 05 19:16:00 2015] [error] Rule
[Thu Feb 05 19:16:00 2015] [error] identity:get_project
[Thu Feb 05 19:16:00 2015] [error] Target
[Thu Feb 05 19:16:00 2015] [error] {'target.project.name': u'project-a', 'target.project.description': u'', 'target.project.enabled': True, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'target.project.domain_id': u'b5da5584e14148f7a305e0f22a9b3a2c', 'target.project.id': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb86801f80>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb862d1090>
[Thu Feb 05 19:16:00 2015] [error] 19584 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:get_project (Disable debug mode to suppress these details.)
....
[Thu Feb 05 19:16:00 2015] [error] ***Rule Method
[Thu Feb 05 19:16:00 2015] [error] ((rule:admin_required and domain_id:%(domain_id)s) or rule:cloud_admin)
[Thu Feb 05 19:16:00 2015] [error] ***Rule
[Thu Feb 05 19:16:00 2015] [error] identity:list_projects
[Thu Feb 05 19:16:00 2015] [error] ***Target
[Thu Feb 05 19:16:00 2015] [error] {'name': u'7c305333795944e48b54874c911c1c2b'}
[Thu Feb 05 19:16:00 2015] [error] ***Creds
[Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb867b92b0>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None}
[Thu Feb 05 19:16:00 2015] [error] self
[Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb86742f90>
[Thu Feb 05 19:16:00 2015] [error] 19586 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.)
The issue is project admin in default policy file (policy.v3cloudsample.json) does not have access to get details of his project. Due to this, keystone assumes that the project does not exist, and tries to get the project listing which again fails.
I updated default policy file and letting project administrators get the project details.
Updating:
"identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id”,
To:
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
"admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s”,
With this change:
$ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| Role | User | Group | Project | Domain |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
| 2a736f40308b4486b8006d09a8213620 | 77194b22fb6e4ac2839c1d93c46e82fd | | 7c305333795944e48b54874c911c1c2b | |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1418702/+subscriptions
References
