yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80417
[Bug 1848625] [NEW] Domain admin can't list users in domain via CLI
Public bug reported:
Cloud information:
Ubuntu 18.04
OpenStack Queens (bionic distro)
Keystone versions:
ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone
ii keystone 2:13.0.2-0ubuntu1
ii python-keystone 2:13.0.2-0ubuntu1
ii python-keystoneauth1 3.4.0-0ubuntu1
ii python-keystoneclient 1:3.15.0-0ubuntu1
ii python-keystonemiddleware 4.21.0-0ubuntu1
Problem description:
The admin of a domain can't list the users in that domain through the
CLI with openstack user list or openstack user list --domain <domain
id>.
However, listing the users in Horizon works (Login as domain admin in
the domain > Identity > Users).
The CLI fails with:
$ openstack user list
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203)
$ openstack user list --domain <domain>
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb)
$ openstack user list --domain <domain id>
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8)
The RC file sourced to do this test is the one generated by downloading
the OpenStack RC File V3 in Horizon when logged in as the domain admin:
export OS_AUTH_URL=http://10.10.51.20:5000/v3
export OS_PROJECT_ID=<project id>
export OS_PROJECT_NAME="<project name>"
export OS_USER_DOMAIN_NAME="<domain name>"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="<domain id>"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
unset OS_TENANT_ID
unset OS_TENANT_NAME
export OS_USERNAME="<domain admin user>"
export OS_PASSWORD="<password>"
export OS_REGION_NAME="RegionOne"
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
Extra info:
$ openstack role assignment list --names
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
[...]
| Admin | | <admin group>@<domain> | <project>@<domain> | | | False |
| Member | | <admin group>@<domain> | <project>@<domain> | | | False |
| Admin | | <admin group>@<domain> | | <domain> | | False |
When doing "openstack user list" or "openstack user list --domain
<domain id>", Keystone logs show:
(py.warnings): 2019-10-18 04:10:56,037 WARNING /usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy identity:list_users failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
warnings.warn(msg)
(keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not
authorized to perform the requested action: identity:list_users.
/etc/keystone/policy.json has:
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
As mentioned above, the workaround is to use the Horizon UI to list the
users in the domain.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1848625
Title:
Domain admin can't list users in domain via CLI
Status in OpenStack Identity (keystone):
New
Bug description:
Cloud information:
Ubuntu 18.04
OpenStack Queens (bionic distro)
Keystone versions:
ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone
ii keystone 2:13.0.2-0ubuntu1
ii python-keystone 2:13.0.2-0ubuntu1
ii python-keystoneauth1 3.4.0-0ubuntu1
ii python-keystoneclient 1:3.15.0-0ubuntu1
ii python-keystonemiddleware 4.21.0-0ubuntu1
Problem description:
The admin of a domain can't list the users in that domain through the
CLI with openstack user list or openstack user list --domain <domain
id>.
However, listing the users in Horizon works (Login as domain admin in
the domain > Identity > Users).
The CLI fails with:
$ openstack user list
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203)
$ openstack user list --domain <domain>
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb)
$ openstack user list --domain <domain id>
You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8)
The RC file sourced to do this test is the one generated by
downloading the OpenStack RC File V3 in Horizon when logged in as the
domain admin:
export OS_AUTH_URL=http://10.10.51.20:5000/v3
export OS_PROJECT_ID=<project id>
export OS_PROJECT_NAME="<project name>"
export OS_USER_DOMAIN_NAME="<domain name>"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="<domain id>"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
unset OS_TENANT_ID
unset OS_TENANT_NAME
export OS_USERNAME="<domain admin user>"
export OS_PASSWORD="<password>"
export OS_REGION_NAME="RegionOne"
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
Extra info:
$ openstack role assignment list --names
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
[...]
| Admin | | <admin group>@<domain> | <project>@<domain> | | | False |
| Member | | <admin group>@<domain> | <project>@<domain> | | | False |
| Admin | | <admin group>@<domain> | | <domain> | | False |
When doing "openstack user list" or "openstack user list --domain <domain id>", Keystone logs show:
(py.warnings): 2019-10-18 04:10:56,037 WARNING /usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy identity:list_users failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
warnings.warn(msg)
(keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not
authorized to perform the requested action: identity:list_users.
/etc/keystone/policy.json has:
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
As mentioned above, the workaround is to use the Horizon UI to list
the users in the domain.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1848625/+subscriptions
Follow ups
