yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1885647] [NEW] Unable to allow users to see role assignments on all their projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sam Morrison <1885647@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Jun 2020 01:12:06 -0000
Reply-to: Bug 1885647 <1885647@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I'm trying to allow users to see what roles they have on all of their
projects.

It would seem that this should do this in policy

"identity:list_role_assignments": "rule:admin_or_monitoring or
project_id:%(scope.project.id)s or user_id:%(scope.user.id)s"

However this doesn't work.

With project_id:%(scope.project.id)s it allows a user to list the roles
of the project they are authed to but it doesn't work with
user_id:%(scope.user.id)s"

I notice that when using the keystone client it treats filtering by
user_id and project_id differently

When filtering by project it does:
/v3/role_assignments?scope.project.id=094ae1e2c08f4eddb444a9d9db71ab40

But when filtering by user it does:
/v3/role_assignments?user.id=d1fa8867e42444cf8724e65fef1da549


Is there something I'm missing here or is this possibly a bug?

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1885647

Title:
  Unable to allow users to see role assignments on all their projects

Status in OpenStack Identity (keystone):
  New

Bug description:
  I'm trying to allow users to see what roles they have on all of their
  projects.

  It would seem that this should do this in policy

  "identity:list_role_assignments": "rule:admin_or_monitoring or
  project_id:%(scope.project.id)s or user_id:%(scope.user.id)s"

  However this doesn't work.

  With project_id:%(scope.project.id)s it allows a user to list the
  roles of the project they are authed to but it doesn't work with
  user_id:%(scope.user.id)s"

  I notice that when using the keystone client it treats filtering by
  user_id and project_id differently

  When filtering by project it does:
  /v3/role_assignments?scope.project.id=094ae1e2c08f4eddb444a9d9db71ab40

  But when filtering by user it does:
  /v3/role_assignments?user.id=d1fa8867e42444cf8724e65fef1da549

  
  Is there something I'm missing here or is this possibly a bug?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1885647/+subscriptions