yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88960
[Bug 1975732] [NEW] System Reader cannot read system scope resources
Public bug reported:
I created a user with project member role and assigned reader role with system_scope:all.
```
$ openstack role assignment list --names --system all --role reader
+--------+-------------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+-------------------+-------+---------+--------+--------+-----------+
| reader | user1@Default | | | | all | False |
+--------+-------------------+-------+---------+--------+--------+-----------+
```
But this user can only list resources in his project.
For example, failed to list all servers in the system with the following error.
```
$ openstack server list --all
Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-0be7173f-83cc-4917-9735-82e31464da32)
```
In nova api log, I can see `system_scope: None` in policy check.
```
Policy check for os_compute_api:servers:allow_all_filters failed with scope check {'is_admin': False, 'user_id': 'c0f8017926b496459fa91995a502c68c', 'user_domain_id': 'default', 'system_scope': None, 'domain_id': None, 'project_id': '62a1872ed4a9ef9865311576145b3baa', 'project_domain_id': 'default', 'roles': ['reader'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /var/lib/openstack/lib/python3.8/site-packages/nova/policy.py:192
```
Also failed to get other resources such as service, endpoints, users which requires system scope permission.
Seems system scope is not working at all.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1975732
Title:
System Reader cannot read system scope resources
Status in OpenStack Identity (keystone):
New
Bug description:
I created a user with project member role and assigned reader role with system_scope:all.
```
$ openstack role assignment list --names --system all --role reader
+--------+-------------------+-------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+-------------------+-------+---------+--------+--------+-----------+
| reader | user1@Default | | | | all | False |
+--------+-------------------+-------+---------+--------+--------+-----------+
```
But this user can only list resources in his project.
For example, failed to list all servers in the system with the following error.
```
$ openstack server list --all
Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-0be7173f-83cc-4917-9735-82e31464da32)
```
In nova api log, I can see `system_scope: None` in policy check.
```
Policy check for os_compute_api:servers:allow_all_filters failed with scope check {'is_admin': False, 'user_id': 'c0f8017926b496459fa91995a502c68c', 'user_domain_id': 'default', 'system_scope': None, 'domain_id': None, 'project_id': '62a1872ed4a9ef9865311576145b3baa', 'project_domain_id': 'default', 'roles': ['reader'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /var/lib/openstack/lib/python3.8/site-packages/nova/policy.py:192
```
Also failed to get other resources such as service, endpoints, users which requires system scope permission.
Seems system scope is not working at all.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1975732/+subscriptions