yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1553864] [NEW] domain admin policy fail in keystonclient

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1553864@xxxxxxxxxxxxxxxxxx>
Date: Mon, 07 Mar 2016 03:48:50 -0000
Reply-to: Bug 1553864 <1553864@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You have been subscribed to a public bug:

In my case:

I changed identity api to v3
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

Create domain_admin 
openstack domain create domain1
openstack user create domain1_admin --domain domain1 --password xxxx
openstack project create domain1_admin --domain domain1
openstack role add --user domain1_admin --domain domain1 admin
openstack role add --user domain1_admin --project domain1_admin admin

And changed policy file to policy.v3cloudsample.json
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
cp policy.v3cloudsample.json /etc/keystone/policy.json

Use domain_admin to review project list
openstack project list --domain domain1
You are not authorized to perform the requested action: identity:list_projects (HTTP 403) (Request-ID: req-e68fc8ab-c723-49ca-a9f4-cbfa4594f514)

In debug mode: I found 
{"error": {"message": "You are not authorized to perform the requested action: identity:list_domains", "code": 403, "title": "Forbidden"}}

so.. I modify policy
"identity:list_domains": "rule:cloud_admin" >>> "identity:list_domains": "rule:admin_required"

And it's worked.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: keystoneclient policy
-- 
domain admin policy fail in keystonclient
https://bugs.launchpad.net/bugs/1553864
You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone).