yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80275
[Bug 1630434] Re: policy.v3cloudsample.json doesn't allow domain admin list role assignments on project
Reviewed: https://review.opendev.org/682266
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d4a6023de5bdfe5a6e9214579a35e083a45c1151
Submitter: Zuul
Branch: master
commit d4a6023de5bdfe5a6e9214579a35e083a45c1151
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Mon Sep 16 02:52:12 2019 +0000
Remove policy.v3cloudsample.json
We've make all the default policies keystone supports better by
incorporating default roles and scope types. These changes have made
the ``policy.v3cloudsample.json`` file obsolete.
Let's simply things for users, operators, and develpers by removing
it.
A follow-on patch will remove the test_v3_protection.py file since
those behaviors are passing all the protection tests with the default
policies in code.
Related-Bug: 1805880
Closes-Bug: 1630434
Closes-Bug: 1806762
Change-Id: Ie45955f5cc54563cc9704d7cb2b656b5544ae030
** Changed in: keystone
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1630434
Title:
policy.v3cloudsample.json doesn't allow domain admin list role
assignments on project
Status in OpenStack Identity (keystone):
Fix Released
Bug description:
My OpenStack version is Mitaka.
With an admin domain-scoped token, a domain admin cannot list role
assignments on the project in the domain. The error messages are:
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action: identity:list_role_assignments",
"title": "Forbidden"
}
}
I am currently using a workaround: adding include_subtree=true to use
"identity:list_role_assignments_for_tree".
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1630434/+subscriptions
References
