← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2105988] [NEW] domain manager role does not work (Dalmatian)

 

Public bug reported:

As the documentation of latest Openstack dalmatian(2024.2 as of writing)
in reference 1. and 2. suggests, manager role does not function as
intended.

Steps to reproduce:

Debian Bookworm 12 installation on a VM or bare metal.
Reproduced with both:
- Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
- Out-of-box installation with Devstack in Debian bookworm installed VM (running standard devstack script).

Below I am illustrating problem with devstack installation. I have not
customised service configurations.

Expected result:
When user is configured as a manager in a domain, should be able to:

- List, assign roles within the domain and revoke them
- Create project, delete project within a domain
- List users, create users, delete users
- List groups, create groups, delete groups

As admin, listing role assignments:
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| Role        | User                    | Group             | Project                    | Domain  | System | Inherited |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| service     | glance@Default          |                   | service@Default            |         |        | False     |
| anotherrole | alt_demo@Default        |                   | alt_demo@Default           |         |        | False     |
| admin       | alt_demo@Default        |                   | alt_demo@Default           |         |        | False     |
| anotherrole | demo@Default            |                   | demo@Default               |         |        | False     |
| member      | demo@Default            |                   | demo@Default               |         |        | False     |
| member      | demo@Default            |                   | invisible_to_admin@Default |         |        | False     |
| member      | alt_demo_member@Default |                   | alt_demo@Default           |         |        | False     |
| service     | gnocchi@Default         |                   | service@Default            |         |        | False     |
| admin       | admin@Default           |                   | demo@Default               |         |        | False     |
| member      | admin@Default           |                   | demo_child@Default         |         |        | False     |
| admin       | admin@Default           |                   | admin@Default              |         |        | False     |
| member      | manauser@Domainb        |                   | managerproj@Domainb        |         |        | False     |
| reader      | demo_reader@Default     |                   | demo@Default               |         |        | False     |
| admin       | nova@Default            |                   | service@Default            |         |        | False     |
| service     | nova@Default            |                   | service@Default            |         |        | False     |
| admin       | ceilometer@Default      |                   | service@Default            |         |        | False     |
| service     | ceilometer@Default      |                   | service@Default            |         |        | False     |
| admin       | placement@Default       |                   | service@Default            |         |        | False     |
| service     | placement@Default       |                   | service@Default            |         |        | False     |
| service     | neutron@Default         |                   | service@Default            |         |        | False     |
| service     | cinder@Default          |                   | service@Default            |         |        | False     |
| reader      | alt_demo_reader@Default |                   | alt_demo@Default           |         |        | False     |
| admin       | aodh@Default            |                   | service@Default            |         |        | False     |
| service     | aodh@Default            |                   | service@Default            |         |        | False     |
| admin       |                         | admins@Default    | admin@Default              |         |        | False     |
| anotherrole |                         | nonadmins@Default | alt_demo@Default           |         |        | False     |
| member      |                         | nonadmins@Default | alt_demo@Default           |         |        | False     |
| anotherrole |                         | nonadmins@Default | demo@Default               |         |        | False     |
| member      |                         | nonadmins@Default | demo@Default               |         |        | False     |
| admin       | admin@Default           |                   |                            | Default |        | False     |
| manager     | manauser@Domainb        |                   |                            | Domainb |        | False     |
| reader      | glance@Default          |                   |                            |         | all    | False     |
| admin       | admin@Default           |                   |                            |         | all    | False     |
| reader      | system_reader@Default   |                   |                            |         | all    | False     |
| member      | system_member@Default   |                   |                            |         | all    | False     |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+

with manauser openrc sourced, running following commands:

openstack project list

+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| 8c648ab677c74acbba7688ba43266e65 | managerproj |
+----------------------------------+-------------+
stack@localhost:~/devstack$ openstack user list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack user list --domain Domainb --project managerproj
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack user create --domain Domainb test
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack project create --domain Domainb test
You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-00ade0f4-b035-42f1-b628-78e09fee679d)

stack@localhost:~/devstack$ openstack group create --domain Domainb test
You are not authorized to perform the requested action: identity:create_group. (HTTP 403) (Request-ID: req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)

stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, You are not authorized to perform the requested action: identity:list_role_assignments.

[1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
[2.] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2105988

Title:
  domain manager role does not work (Dalmatian)

Status in OpenStack Identity (keystone):
  New

Bug description:
  As the documentation of latest Openstack dalmatian(2024.2 as of
  writing) in reference 1. and 2. suggests, manager role does not
  function as intended.

  Steps to reproduce:

  Debian Bookworm 12 installation on a VM or bare metal.
  Reproduced with both:
  - Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
  - Out-of-box installation with Devstack in Debian bookworm installed VM (running standard devstack script).

  Below I am illustrating problem with devstack installation. I have not
  customised service configurations.

  Expected result:
  When user is configured as a manager in a domain, should be able to:

  - List, assign roles within the domain and revoke them
  - Create project, delete project within a domain
  - List users, create users, delete users
  - List groups, create groups, delete groups

  As admin, listing role assignments:
  +-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
  | Role        | User                    | Group             | Project                    | Domain  | System | Inherited |
  +-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
  | service     | glance@Default          |                   | service@Default            |         |        | False     |
  | anotherrole | alt_demo@Default        |                   | alt_demo@Default           |         |        | False     |
  | admin       | alt_demo@Default        |                   | alt_demo@Default           |         |        | False     |
  | anotherrole | demo@Default            |                   | demo@Default               |         |        | False     |
  | member      | demo@Default            |                   | demo@Default               |         |        | False     |
  | member      | demo@Default            |                   | invisible_to_admin@Default |         |        | False     |
  | member      | alt_demo_member@Default |                   | alt_demo@Default           |         |        | False     |
  | service     | gnocchi@Default         |                   | service@Default            |         |        | False     |
  | admin       | admin@Default           |                   | demo@Default               |         |        | False     |
  | member      | admin@Default           |                   | demo_child@Default         |         |        | False     |
  | admin       | admin@Default           |                   | admin@Default              |         |        | False     |
  | member      | manauser@Domainb        |                   | managerproj@Domainb        |         |        | False     |
  | reader      | demo_reader@Default     |                   | demo@Default               |         |        | False     |
  | admin       | nova@Default            |                   | service@Default            |         |        | False     |
  | service     | nova@Default            |                   | service@Default            |         |        | False     |
  | admin       | ceilometer@Default      |                   | service@Default            |         |        | False     |
  | service     | ceilometer@Default      |                   | service@Default            |         |        | False     |
  | admin       | placement@Default       |                   | service@Default            |         |        | False     |
  | service     | placement@Default       |                   | service@Default            |         |        | False     |
  | service     | neutron@Default         |                   | service@Default            |         |        | False     |
  | service     | cinder@Default          |                   | service@Default            |         |        | False     |
  | reader      | alt_demo_reader@Default |                   | alt_demo@Default           |         |        | False     |
  | admin       | aodh@Default            |                   | service@Default            |         |        | False     |
  | service     | aodh@Default            |                   | service@Default            |         |        | False     |
  | admin       |                         | admins@Default    | admin@Default              |         |        | False     |
  | anotherrole |                         | nonadmins@Default | alt_demo@Default           |         |        | False     |
  | member      |                         | nonadmins@Default | alt_demo@Default           |         |        | False     |
  | anotherrole |                         | nonadmins@Default | demo@Default               |         |        | False     |
  | member      |                         | nonadmins@Default | demo@Default               |         |        | False     |
  | admin       | admin@Default           |                   |                            | Default |        | False     |
  | manager     | manauser@Domainb        |                   |                            | Domainb |        | False     |
  | reader      | glance@Default          |                   |                            |         | all    | False     |
  | admin       | admin@Default           |                   |                            |         | all    | False     |
  | reader      | system_reader@Default   |                   |                            |         | all    | False     |
  | member      | system_member@Default   |                   |                            |         | all    | False     |
  +-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+

  with manauser openrc sourced, running following commands:

  openstack project list

  +----------------------------------+-------------+
  | ID                               | Name        |
  +----------------------------------+-------------+
  | 8c648ab677c74acbba7688ba43266e65 | managerproj |
  +----------------------------------+-------------+
  stack@localhost:~/devstack$ openstack user list --domain Domainb
  ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack user list --domain Domainb --project managerproj
  ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack user create --domain Domainb test
  ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack project create --domain Domainb test
  You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-00ade0f4-b035-42f1-b628-78e09fee679d)

  stack@localhost:~/devstack$ openstack group create --domain Domainb test
  You are not authorized to perform the requested action: identity:create_group. (HTTP 403) (Request-ID: req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)

  stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
  ForbiddenException: 403: Client Error for url: http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, You are not authorized to perform the requested action: identity:list_role_assignments.

  [1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
  [2.] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2105988/+subscriptions