yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1848625] Re: Domain admin can't list users in domain via CLI

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Fri, 18 Oct 2019 18:47:14 -0000
Reply-to: Bug 1848625 <1848625@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
> Maybe we should provide a way to generate a domain vs project scoped
token from Horizon when logged in as the desired user.

I think that's a valid request, could you file that with the horizon
project?

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1848625

Title:
  Domain admin can't list users in domain via CLI

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Cloud information:

  Ubuntu 18.04
  OpenStack Queens (bionic distro)

  Keystone versions:

  ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone
  ii  keystone                       2:13.0.2-0ubuntu1
  ii  python-keystone                2:13.0.2-0ubuntu1
  ii  python-keystoneauth1           3.4.0-0ubuntu1
  ii  python-keystoneclient          1:3.15.0-0ubuntu1
  ii  python-keystonemiddleware      4.21.0-0ubuntu1

  
  Problem description:

  The admin of a domain can't list the users in that domain through the
  CLI with openstack user list or openstack user list --domain <domain
  id>.

  However, listing the users in Horizon works (Login as domain admin in
  the domain > Identity > Users).

  The CLI fails with:

  $ openstack user list
  You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203)

  $ openstack user list --domain <domain> 
  You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb)

  $ openstack user list --domain <domain id>
  You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8)

  The RC file sourced to do this test is the one generated by
  downloading the OpenStack RC File V3 in Horizon when logged in as the
  domain admin:

  export OS_AUTH_URL=http://10.10.51.20:5000/v3
  export OS_PROJECT_ID=<project id>
  export OS_PROJECT_NAME="<project name>"
  export OS_USER_DOMAIN_NAME="<domain name>"
  if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
  export OS_PROJECT_DOMAIN_ID="<domain id>"
  if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
  unset OS_TENANT_ID
  unset OS_TENANT_NAME
  export OS_USERNAME="<domain admin user>"
  export OS_PASSWORD="<password>"
  export OS_REGION_NAME="RegionOne"
  if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
  export OS_INTERFACE=public
  export OS_IDENTITY_API_VERSION=3

  
  Extra info:

  $ openstack role assignment list --names
  +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
  | Role          | User                                         | Group                         | Project                                 | Domain              | System | Inherited |
  +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
  [...]
  | Admin         |                                              | <admin group>@<domain> | <project>@<domain> |                     |        | False     |
  | Member        |                                              | <admin group>@<domain> | <project>@<domain> |                     |        | False     |
  | Admin         |                                              | <admin group>@<domain> |                                         | <domain> |        | False     |


  
  When doing "openstack user list" or "openstack user list --domain <domain id>", Keystone logs show:

  (py.warnings): 2019-10-18 04:10:56,037 WARNING /usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy identity:list_users failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
    warnings.warn(msg)

  (keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not
  authorized to perform the requested action: identity:list_users.

  
  /etc/keystone/policy.json has:

      "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
      "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",


  As mentioned above, the workaround is to use the Horizon UI to list
  the users in the domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1848625/+subscriptions
References

[Bug 1848625] [NEW] Domain admin can't list users in domain via CLI
From: David Coronel, 2019-10-18