← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #78022

[Bug 1732502] Re: project-list command does not work for a user with admin role on domain

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1750660 ***
    https://bugs.launchpad.net/bugs/1750660

I think this is covered by
https://bugs.launchpad.net/keystone/+bug/1750660 and the default project
policies now account for domain scope.

** This bug has been marked a duplicate of bug 1750660
   The v3 project API should account for different scopes

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1732502

Title:
  project-list command does not work for a user with admin role on
  domain

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  I use identity v3.

  I have a domain and two projects inside.
  I also have a user in this domain who has admin role on the domain.

  I do "openstack project list --domain <my domain uuid>"
  and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)".

  the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id".
  "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s".
  the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works.

  I tried also with admin role on both domain's projects. No success.

  Following link mentions the issue but trying to hardcode my domain
  uuid instead of "%(domain_id)s" did not work for me -
  https://ask.openstack.org/en/question/69418/not-authorized-to-list-
  projects-with-keystone-v3/

  I also do the projects list request with domain-scoped token via
  openstack4j java library. same result.

  Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...).
  I did not try it by myself.

  I use RDO NEWTON release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1732502/+subscriptions

References

  Thread PreviousDate PreviousThread Next