yahoo-eng-team team mailing list archive

[Alex Kavanagh <2017695@xxxxxxxxxxxxxxxxxx>]

** Also affects: charm-keystone
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2017695

Title:
  User assigned admin role gets 403 when querying various object types.

Status in OpenStack Keystone Charm:
  New
Status in OpenStack Identity (keystone):
  Invalid
Status in keystone package in Juju Charms Collection:
  Invalid

Bug description:
  Our users, having been assigned admin role on domain and projects in
  that domain we're unable to query certain things via the openstack
  CLI.  Ex:

  $ openstack user list
  You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0c479c91-636d-4b74-b4d1-d18bd1ca4761)
  $ openstack group list
  You are not authorized to perform the requested action: identity:list_groups. (HTTP 403) (Request-ID: req-c10c217b-a730-4b8c-90f2-daad2d9dc4cb)
  $ openstack domain list
  You are not authorized to perform the requested action: identity:list_domains. (HTTP 403) (Request-ID: req-5b1d5007-f9dd-4149-bc1c-182f7a0c88b2)
  $ openstack role assignment list
  You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-a10ff2cb-cb24-4447-b962-6e8b6bd8afd9)

  I can view projects however... which is interesting. Our users are
  granted admin on the domain and projects via group membership.

  We're running keystone 17.0.1 in Ussuri.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/2017695/+subscriptions