yahoo-eng-team team mailing list archive

[Steve Martinelli <1544721@xxxxxxxxxxxxxxxxxx>]

** Changed in: keystone
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544721

Title:
  Policy for listing service providers requires admin

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  When creating a v3 keystoneclient using non admin credentials I'm able
  to get the list of service providers from the service catalog, but the
  policy doesn't allow to list or get service providers by default.

  >>> ksclient2.service_catalog.catalog[u'service_providers']
  [{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP', u'auth_url': u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth', u'id': u'keystone-sp'}]

  >>> ksclient2.federation.service_providers.list()
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py", line 76, in list
      return super(ServiceProviderManager, self).list(**kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 75, in func
      return f(*args, **new_kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 388, in list
      self.collection_key)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
      resp, body = self.client.get(url, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 170, in get
      return self.request(url, 'GET', **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 206, in request
      resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 95, in request
      return self.session.request(url, method, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 337, in inner
      return func(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 405, in request
      raise exceptions.from_response(resp, method, url)
  keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_service_providers (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-485c64e6-5de1-4470-9439-e05275a350fa)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544721/+subscriptions