yahoo-eng-team team mailing list archive

[Slawek Kaplonski <2065743@xxxxxxxxxxxxxxxxxx>]

** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2065743

Title:
  CLI arguments for rbac create are misleading and possibly incorrect

Status in neutron:
  Fix Released
Status in python-openstackclient:
  Opinion

Bug description:
  On a yoga install of openstack, I can run the following command as
  user with member role in projectA which is in domain DOM:

    openstack network rbac create --target-project projectB --target-
  project-domain DOM --action access_as_shared --type security_group my-
  security-group

  The user doesn't have any role for project projectB but can
  successfully create an rbac for it. However, when I see the fields of
  the rbac, I see:

    | target_project_id | projectB                  |

  The RBAC then fails to work as expected, because this is not an ID.
  If, instead, I create the rbac using an explicit ID of the project,
  then the RBAC behaves as expected.

  From what I understand, the user cannot see "projectB" so there is no
  way for the CLI to lookup its ID. However, I would expect the CLI in
  this case to reply:

    "Cannot create rbac from name without permissions to list projects.
  Please use an ID instead"

  I note that if use a user who is allowed to list projects, then when I
  create an rbac, the ID of the project appears in the fields of the
  rbac.

  This bug is somewhat related to
  https://bugs.launchpad.net/neutron/+bug/1649909. The difference is
  that here we are not trying to create a "domain-scoped" rbac, but the
  confusion surrounding the `--target-project-domain` argument is still
  a problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2065743/+subscriptions