yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1610166] Re: Cannot list group members with policy.v3cloudsample.json

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: John Lin <1610166@xxxxxxxxxxxxxxxxxx>
Date: Mon, 08 Aug 2016 08:32:05 -0000
Reply-to: Bug 1610166 <1610166@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1433402 ***
    https://bugs.launchpad.net/bugs/1433402

** This bug has been marked a duplicate of bug 1433402
   list users in group unauthorised with v3 policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1610166

Title:
  Cannot list group members with policy.v3cloudsample.json

Status in OpenStack Identity (keystone):
  New

Bug description:
  Version: Mitaka

  I updated my /etc/keystone/policy.json to policy.v3cloudsample.json
  [1]. Most functions work as expected.

  However, when I wanted to list members in a group as a domain admin,
  an error occurred: "You are not authorized to perform the requested
  action: identity:list_users_in_group (HTTP 403)"

  The reproduce steps are:

  As cloud admin:
  - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512"
  - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512
  - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president
  - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin
  As taiwan-president:
  - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous
  - openstack user create --domain $TAIWAN_DOMAIN_ID margaret
  - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret
  - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID

  The last command will generate the 403 error.

  The rule for "identity:list_users_in_group" is "rule:cloud_admin or
  rule:admin_and_matching_target_group_domain_id". I can successfully
  list group members if I changed it to "rule:admin_required". But it's
  just a workaround.

  I can reproduce this issue in devstack.

  [1]
  https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1610166/+subscriptions

References

[Bug 1610166] [NEW] Cannot list group members with policy.v3cloudsample.json
From: John Lin, 2016-08-05