yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #54718
[Bug 1610166] [NEW] Cannot list group members with policy.v3cloudsample.json
Public bug reported:
Version: Mitaka
I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1].
Most functions works as expected.
However, when I wanted to list members in a group as a domain admin, an
error occurred: "You are not authorized to perform the requested action:
identity:list_users_in_group (HTTP 403)"
The reproduce steps are:
As cloud admin:
- openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512"
- TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512
- openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president
- openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin
As taiwan-president:
- openstack group create --domain $TAIWAN_DOMAIN_ID indigenous
- openstack user create --domain $TAIWAN_DOMAIN_ID margaret
- openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret
- openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID
The rule for identity:list_users_in_group is rule:cloud_admin or
rule:admin_and_matching_target_group_domain_id. I can successfully list
group members if I changed it to rule:admin_required.
I can reproduce this issue in devstack.
[1]
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1610166
Title:
Cannot list group members with policy.v3cloudsample.json
Status in OpenStack Identity (keystone):
New
Bug description:
Version: Mitaka
I updated my /etc/keystone/policy.json to policy.v3cloudsample.json
[1]. Most functions works as expected.
However, when I wanted to list members in a group as a domain admin,
an error occurred: "You are not authorized to perform the requested
action: identity:list_users_in_group (HTTP 403)"
The reproduce steps are:
As cloud admin:
- openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512"
- TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512
- openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president
- openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin
As taiwan-president:
- openstack group create --domain $TAIWAN_DOMAIN_ID indigenous
- openstack user create --domain $TAIWAN_DOMAIN_ID margaret
- openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret
- openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID
The rule for identity:list_users_in_group is rule:cloud_admin or
rule:admin_and_matching_target_group_domain_id. I can successfully
list group members if I changed it to rule:admin_required.
I can reproduce this issue in devstack.
[1]
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1610166/+subscriptions
Follow ups
