← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #75946

[Bug 1805165] [NEW] Cannot list project role assignments as domain admin

  Thread PreviousDate PreviousThread Next 
Public bug reported:

As domain admin, i would like to list role assignments on projects of my
domain. The default v3 policies are:

"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",

I expected that adding a new rule like

"admin_on_project_domain_filter": "rule:admin_required and
project_id:%(scope.project.domain.id)s",

would work, but it did not.

I ran into this bug on Newton, but according to the code it seems to be
present in Rocky. I am not sure about current master.

The attached patch is how i fixed it for Newton.

** Affects: keystone
     Importance: Undecided
         Status: New

** Attachment added: "policies.patch"
   https://bugs.launchpad.net/bugs/1805165/+attachment/5216526/+files/policies.patch

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1805165

Title:
  Cannot list project role assignments as domain admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  As domain admin, i would like to list role assignments on projects of
  my domain. The default v3 policies are:

  "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
  "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
  "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",

  I expected that adding a new rule like

  "admin_on_project_domain_filter": "rule:admin_required and
  project_id:%(scope.project.domain.id)s",

  would work, but it did not.

  I ran into this bug on Newton, but according to the code it seems to
  be present in Rocky. I am not sure about current master.

  The attached patch is how i fixed it for Newton.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1805165/+subscriptions
  Thread PreviousDate PreviousThread Next