yahoo-eng-team team mailing list archive

[Phelim Xue <phelim1234@xxxxxxxxx>]

** Project changed: openstack-manuals => python-keystoneclient

** Tags added: keystoneclient

** Tags added: policy

** Project changed: python-keystoneclient => keystone

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1553864

Title:
  domain admin policy fail in keystonclient

Status in OpenStack Identity (keystone):
  New

Bug description:
  In my case:

  I changed identity api to v3
  export OS_AUTH_URL=http://controller:5000/v3
  export OS_IDENTITY_API_VERSION=3

  Create domain_admin 
  openstack domain create domain1
  openstack user create domain1_admin --domain domain1 --password xxxx
  openstack project create domain1_admin --domain domain1
  openstack role add --user domain1_admin --domain domain1 admin
  openstack role add --user domain1_admin --project domain1_admin admin

  And changed policy file to policy.v3cloudsample.json
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
  cp policy.v3cloudsample.json /etc/keystone/policy.json

  Use domain_admin to review project list
  openstack project list --domain domain1
  You are not authorized to perform the requested action: identity:list_projects (HTTP 403) (Request-ID: req-e68fc8ab-c723-49ca-a9f4-cbfa4594f514)

  In debug mode: I found 
  {"error": {"message": "You are not authorized to perform the requested action: identity:list_domains", "code": 403, "title": "Forbidden"}}

  so.. I modify policy
  "identity:list_domains": "rule:cloud_admin" >>> "identity:list_domains": "rule:admin_required"

  And it's worked.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1553864/+subscriptions