yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95641
[Bug 2105988] [NEW] domain manager role does not work (Dalmatian)
Public bug reported:
As the documentation of latest Openstack dalmatian(2024.2 as of writing)
in reference 1. and 2. suggests, manager role does not function as
intended.
Steps to reproduce:
Debian Bookworm 12 installation on a VM or bare metal.
Reproduced with both:
- Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
- Out-of-box installation with Devstack in Debian bookworm installed VM (running standard devstack script).
Below I am illustrating problem with devstack installation. I have not
customised service configurations.
Expected result:
When user is configured as a manager in a domain, should be able to:
- List, assign roles within the domain and revoke them
- Create project, delete project within a domain
- List users, create users, delete users
- List groups, create groups, delete groups
As admin, listing role assignments:
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| service | glance@Default | | service@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| admin | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| member | alt_demo_member@Default | | alt_demo@Default | | | False |
| service | gnocchi@Default | | service@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| member | admin@Default | | demo_child@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| member | manauser@Domainb | | managerproj@Domainb | | | False |
| reader | demo_reader@Default | | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | ceilometer@Default | | service@Default | | | False |
| service | ceilometer@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| reader | alt_demo_reader@Default | | alt_demo@Default | | | False |
| admin | aodh@Default | | service@Default | | | False |
| service | aodh@Default | | service@Default | | | False |
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| manager | manauser@Domainb | | | Domainb | | False |
| reader | glance@Default | | | | all | False |
| admin | admin@Default | | | | all | False |
| reader | system_reader@Default | | | | all | False |
| member | system_member@Default | | | | all | False |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
with manauser openrc sourced, running following commands:
openstack project list
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 8c648ab677c74acbba7688ba43266e65 | managerproj |
+----------------------------------+-------------+
stack@localhost:~/devstack$ openstack user list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack user list --domain Domainb --project managerproj
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack user create --domain Domainb test
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack project create --domain Domainb test
You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-00ade0f4-b035-42f1-b628-78e09fee679d)
stack@localhost:~/devstack$ openstack group create --domain Domainb test
You are not authorized to perform the requested action: identity:create_group. (HTTP 403) (Request-ID: req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)
stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, You are not authorized to perform the requested action: identity:list_role_assignments.
[1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
[2.] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2105988
Title:
domain manager role does not work (Dalmatian)
Status in OpenStack Identity (keystone):
New
Bug description:
As the documentation of latest Openstack dalmatian(2024.2 as of
writing) in reference 1. and 2. suggests, manager role does not
function as intended.
Steps to reproduce:
Debian Bookworm 12 installation on a VM or bare metal.
Reproduced with both:
- Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
- Out-of-box installation with Devstack in Debian bookworm installed VM (running standard devstack script).
Below I am illustrating problem with devstack installation. I have not
customised service configurations.
Expected result:
When user is configured as a manager in a domain, should be able to:
- List, assign roles within the domain and revoke them
- Create project, delete project within a domain
- List users, create users, delete users
- List groups, create groups, delete groups
As admin, listing role assignments:
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| service | glance@Default | | service@Default | | | False |
| anotherrole | alt_demo@Default | | alt_demo@Default | | | False |
| admin | alt_demo@Default | | alt_demo@Default | | | False |
| anotherrole | demo@Default | | demo@Default | | | False |
| member | demo@Default | | demo@Default | | | False |
| member | demo@Default | | invisible_to_admin@Default | | | False |
| member | alt_demo_member@Default | | alt_demo@Default | | | False |
| service | gnocchi@Default | | service@Default | | | False |
| admin | admin@Default | | demo@Default | | | False |
| member | admin@Default | | demo_child@Default | | | False |
| admin | admin@Default | | admin@Default | | | False |
| member | manauser@Domainb | | managerproj@Domainb | | | False |
| reader | demo_reader@Default | | demo@Default | | | False |
| admin | nova@Default | | service@Default | | | False |
| service | nova@Default | | service@Default | | | False |
| admin | ceilometer@Default | | service@Default | | | False |
| service | ceilometer@Default | | service@Default | | | False |
| admin | placement@Default | | service@Default | | | False |
| service | placement@Default | | service@Default | | | False |
| service | neutron@Default | | service@Default | | | False |
| service | cinder@Default | | service@Default | | | False |
| reader | alt_demo_reader@Default | | alt_demo@Default | | | False |
| admin | aodh@Default | | service@Default | | | False |
| service | aodh@Default | | service@Default | | | False |
| admin | | admins@Default | admin@Default | | | False |
| anotherrole | | nonadmins@Default | alt_demo@Default | | | False |
| member | | nonadmins@Default | alt_demo@Default | | | False |
| anotherrole | | nonadmins@Default | demo@Default | | | False |
| member | | nonadmins@Default | demo@Default | | | False |
| admin | admin@Default | | | Default | | False |
| manager | manauser@Domainb | | | Domainb | | False |
| reader | glance@Default | | | | all | False |
| admin | admin@Default | | | | all | False |
| reader | system_reader@Default | | | | all | False |
| member | system_member@Default | | | | all | False |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
with manauser openrc sourced, running following commands:
openstack project list
+----------------------------------+-------------+
| ID | Name |
+----------------------------------+-------------+
| 8c648ab677c74acbba7688ba43266e65 | managerproj |
+----------------------------------+-------------+
stack@localhost:~/devstack$ openstack user list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack user list --domain Domainb --project managerproj
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack user create --domain Domainb test
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.
stack@localhost:~/devstack$ openstack project create --domain Domainb test
You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-00ade0f4-b035-42f1-b628-78e09fee679d)
stack@localhost:~/devstack$ openstack group create --domain Domainb test
You are not authorized to perform the requested action: identity:create_group. (HTTP 403) (Request-ID: req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)
stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, You are not authorized to perform the requested action: identity:list_role_assignments.
[1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
[2.] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2105988/+subscriptions