yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1630434] [NEW] policy.v3cloudsample.json doesn't allow domain admin list role assignments on project

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: John Lin <1630434@xxxxxxxxxxxxxxxxxx>
Date: Wed, 05 Oct 2016 04:03:41 -0000
Reply-to: Bug 1630434 <1630434@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

My OpenStack version is Mitaka.

With an admin domain-scoped token, a domain admin cannot list role
assignments on the project in the domain. The error messages are:

{
    "error": {
        "code": 403,
        "message": "You are not authorized to perform the requested action: identity:list_role_assignments",
        "title": "Forbidden"
    }
}

I am currently using a workaround: adding include_subtree=true to use
"identity:list_role_assignments_for_tree".

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1630434

Title:
  policy.v3cloudsample.json doesn't allow domain admin list role
  assignments on project

Status in OpenStack Identity (keystone):
  New

Bug description:
  My OpenStack version is Mitaka.

  With an admin domain-scoped token, a domain admin cannot list role
  assignments on the project in the domain. The error messages are:

  {
      "error": {
          "code": 403,
          "message": "You are not authorized to perform the requested action: identity:list_role_assignments",
          "title": "Forbidden"
      }
  }

  I am currently using a workaround: adding include_subtree=true to use
  "identity:list_role_assignments_for_tree".

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1630434/+subscriptions

Follow ups

[Bug 1630434] Re: policy.v3cloudsample.json doesn't allow domain admin list role assignments on project
From: OpenStack Infra, 2019-10-04