yahoo-eng-team team mailing list archive

[Alex Kavanagh <2017695@xxxxxxxxxxxxxxxxxx>]

Re-assigning to the keystone identity package.

** Also affects: keystone
   Importance: Undecided
       Status: New

** Changed in: keystone (Juju Charms Collection)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2017695

Title:
  User assigned admin role gets 403 when querying various object types.

Status in OpenStack Identity (keystone):
  Incomplete
Status in keystone package in Juju Charms Collection:
  Invalid

Bug description:
  Our users, having been assigned admin role on domain and projects in
  that domain we're unable to query certain things via the openstack
  CLI.  Ex:

  $ openstack user list
  You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0c479c91-636d-4b74-b4d1-d18bd1ca4761)
  $ openstack group list
  You are not authorized to perform the requested action: identity:list_groups. (HTTP 403) (Request-ID: req-c10c217b-a730-4b8c-90f2-daad2d9dc4cb)
  $ openstack domain list
  You are not authorized to perform the requested action: identity:list_domains. (HTTP 403) (Request-ID: req-5b1d5007-f9dd-4149-bc1c-182f7a0c88b2)
  $ openstack role assignment list
  You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-a10ff2cb-cb24-4447-b962-6e8b6bd8afd9)

  I can view projects however... which is interesting. Our users are
  granted admin on the domain and projects via group membership.

  We're running keystone 17.0.1 in Ussuri.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2017695/+subscriptions