← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #93978

[Bug 2065743] [NEW] CLI arguments for rbac create are misleading and possibly incorrect

  Thread PreviousDate PreviousThread Next 
Public bug reported:

On a yoga install of openstack, I can run the following command as user
with member role in projectA which is in domain DOM:

  openstack network rbac create --target-project projectB --target-
project-domain DOM --action access_as_shared --type security_group my-
security-group

The user doesn't have any role for project projectB but can successfully
create an rbac for it. However, when I see the fields of the rbac, I
see:

  | target_project_id | projectB                  |

The RBAC then fails to work as expected, because this is not an ID. If,
instead, I create the rbac using an explicit ID of the project, then the
RBAC behaves as expected.

>From what I understand, the user cannot see "projectB" so there is no
way for the CLI to lookup its ID. However, I would expect the CLI in
this case to reply:

  "Cannot create rbac from name without permissions to list projects.
Please use an ID instead"

I note that if use a user who is allowed to list projects, then when I
create an rbac, the ID of the project appears in the fields of the rbac.

This bug is somewhat related to
https://bugs.launchpad.net/neutron/+bug/1649909. The difference is that
here we are not trying to create a "domain-scoped" rbac, but the
confusion surrounding the `--target-project-domain` argument is still a
problem.

** Affects: neutron
     Importance: Undecided
         Status: New

** Affects: python-openstackclient
     Importance: Undecided
         Status: New

** Project changed: neutron => python-openstackclient

** Also affects: neutron
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2065743

Title:
  CLI arguments for rbac create are misleading and possibly incorrect

Status in neutron:
  New
Status in python-openstackclient:
  New

Bug description:
  On a yoga install of openstack, I can run the following command as
  user with member role in projectA which is in domain DOM:

    openstack network rbac create --target-project projectB --target-
  project-domain DOM --action access_as_shared --type security_group my-
  security-group

  The user doesn't have any role for project projectB but can
  successfully create an rbac for it. However, when I see the fields of
  the rbac, I see:

    | target_project_id | projectB                  |

  The RBAC then fails to work as expected, because this is not an ID.
  If, instead, I create the rbac using an explicit ID of the project,
  then the RBAC behaves as expected.

  From what I understand, the user cannot see "projectB" so there is no
  way for the CLI to lookup its ID. However, I would expect the CLI in
  this case to reply:

    "Cannot create rbac from name without permissions to list projects.
  Please use an ID instead"

  I note that if use a user who is allowed to list projects, then when I
  create an rbac, the ID of the project appears in the fields of the
  rbac.

  This bug is somewhat related to
  https://bugs.launchpad.net/neutron/+bug/1649909. The difference is
  that here we are not trying to create a "domain-scoped" rbac, but the
  confusion surrounding the `--target-project-domain` argument is still
  a problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2065743/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next