yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1544721] [NEW] Policy for listing service providers requires admin

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kristi Nikolla <knikolla@xxxxxx>
Date: Thu, 11 Feb 2016 20:46:05 -0000
Reply-to: Bug 1544721 <1544721@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

When creating a v3 keystoneclient using non admin credentials I'm able
to get the list of service providers from the service catalog, but the
policy doesn't allow to list or get service providers by default.

>>> ksclient2.service_catalog.catalog[u'service_providers']
[{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth', u'id': u'keystone-sp'}]

>>> ksclient2.federation.service_providers.list()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py", line 76, in list
    return super(ServiceProviderManager, self).list(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 388, in list
    self.collection_key)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 405, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_service_providers (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-485c64e6-5de1-4470-9439-e05275a350fa)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544721

Title:
  Policy for listing service providers requires admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  When creating a v3 keystoneclient using non admin credentials I'm able
  to get the list of service providers from the service catalog, but the
  policy doesn't allow to list or get service providers by default.

  >>> ksclient2.service_catalog.catalog[u'service_providers']
  [{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth', u'id': u'keystone-sp'}]

  >>> ksclient2.federation.service_providers.list()
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py", line 76, in list
      return super(ServiceProviderManager, self).list(**kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 75, in func
      return f(*args, **new_kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 388, in list
      self.collection_key)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
      resp, body = self.client.get(url, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
      return self.request(url, 'GET', **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
      resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
      return self.session.request(url, method, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
      return func(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 405, in request
      raise exceptions.from_response(resp, method, url)
  keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_service_providers (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-485c64e6-5de1-4470-9439-e05275a350fa)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544721/+subscriptions
Follow ups

[Bug 1544721] Re: Policy for listing service providers requires admin
From: Steve Martinelli, 2016-08-01