yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95825
[Bug 2109989] [NEW] domain admin cannot create new projects
Public bug reported:
Openstack caracal on jammy
Steps to reproduce:
- While logged in as admin@admin_domain via CLI, create a new domain -- local authentication is fine
- While logged in as admin@admin_domain via CLI, create a new user in that domain
- While logged in as admin@admin_domain via CLI, add the role Admin to that new user in that new domain (the domain itself, not a project)
Now:
- Login to the new user and domain via horizon and try to create a new project -- it works
- Login to the new user and domain via CLI and try to create a new project -- it fails
It was expected that the CLI would also work.
We noticed that horizon and keystone are not using the exact same
policy.json and there are differences that may be significant.
---
More details:
(source the admin@admin_domain credentials)
$ openstack domain create test_policy
$ openstack user create --domain test_policy --password ubuntu test_math
$ openstack role add --user test_math --user-domain test_policy --domain test_policy Admin
(source the new user in a separate shell)
$ openstack project create test-matt
[...]
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-xxxx)
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2109989
Title:
domain admin cannot create new projects
Status in OpenStack Identity (keystone):
New
Bug description:
Openstack caracal on jammy
Steps to reproduce:
- While logged in as admin@admin_domain via CLI, create a new domain -- local authentication is fine
- While logged in as admin@admin_domain via CLI, create a new user in that domain
- While logged in as admin@admin_domain via CLI, add the role Admin to that new user in that new domain (the domain itself, not a project)
Now:
- Login to the new user and domain via horizon and try to create a new project -- it works
- Login to the new user and domain via CLI and try to create a new project -- it fails
It was expected that the CLI would also work.
We noticed that horizon and keystone are not using the exact same
policy.json and there are differences that may be significant.
---
More details:
(source the admin@admin_domain credentials)
$ openstack domain create test_policy
$ openstack user create --domain test_policy --password ubuntu test_math
$ openstack role add --user test_math --user-domain test_policy --domain test_policy Admin
(source the new user in a separate shell)
$ openstack project create test-matt
[...]
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-xxxx)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2109989/+subscriptions