← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #69212

[Bug 1732502] [NEW] project-list command does not work for a user with admin role on domain

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I use identity v3.

I have a domain and two projects inside.
I also have a user in this domain who has admin role on the domain.

I do "openstack project list --domain <my domain uuid>" 
and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)".

the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id".
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s".
the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works.

I tried also with admin role on both domain's projects. No success.


Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/

I also do the projects list request with domain-scoped token via
openstack4j java library. same result.

Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...).
I did not try it by myself.

I use RDO NEWTON release.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1732502

Title:
  project-list command does not work for a user with admin role on
  domain

Status in OpenStack Identity (keystone):
  New

Bug description:
  I use identity v3.

  I have a domain and two projects inside.
  I also have a user in this domain who has admin role on the domain.

  I do "openstack project list --domain <my domain uuid>" 
  and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)".

  the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id".
  "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s".
  the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works.

  I tried also with admin role on both domain's projects. No success.

  
  Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/

  I also do the projects list request with domain-scoped token via
  openstack4j java library. same result.

  Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...).
  I did not try it by myself.

  I use RDO NEWTON release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1732502/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next