yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50354
[Bug 1553864] Re: domain admin policy fail in keystonclient
[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]
** Changed in: keystone
Status: Incomplete => Expired
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1553864
Title:
domain admin policy fail in keystonclient
Status in OpenStack Identity (keystone):
Expired
Bug description:
In my case:
I changed identity api to v3
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
Create domain_admin
openstack domain create domain1
openstack user create domain1_admin --domain domain1 --password xxxx
openstack project create domain1_admin --domain domain1
openstack role add --user domain1_admin --domain domain1 admin
openstack role add --user domain1_admin --project domain1_admin admin
And changed policy file to policy.v3cloudsample.json
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
cp policy.v3cloudsample.json /etc/keystone/policy.json
replace "admin_domain_id" to "default"
(so, domain1_admin is "other domain's admin", not "cloud_admin")
Use domain_admin to review project list
openstack project list --domain domain1
You are not authorized to perform the requested action: identity:list_projects (HTTP 403) (Request-ID: req-e68fc8ab-c723-49ca-a9f4-cbfa4594f514)
In debug mode: I found
{"error": {"message": "You are not authorized to perform the requested action: identity:list_domains", "code": 403, "title": "Forbidden"}}
so.. I modify policy
"identity:list_domains": "rule:cloud_admin" >>>
"identity:list_domains": "rule:admin_required"
And it's worked.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1553864/+subscriptions
