yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2109989] [NEW] domain admin cannot create new projects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andre Ruiz <2109989@xxxxxxxxxxxxxxxxxx>
Date: Mon, 05 May 2025 22:15:26 -0000
Reply-to: Bug 2109989 <2109989@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:


Openstack caracal on jammy

Steps to reproduce:

- While logged in as admin@admin_domain via CLI, create a new domain -- local authentication is fine
- While logged in as admin@admin_domain via CLI, create a new user in that domain
- While logged in as admin@admin_domain via CLI, add the role Admin to that new user in that new domain (the domain itself, not a project)

Now:

- Login to the new user and domain via horizon and try to create a new project -- it works
- Login to the new user and domain via CLI and try to create a new project -- it fails

It was expected that the CLI would also work.

We noticed that horizon and keystone are not using the exact same
policy.json and there are differences that may be significant.

---

More details:

(source the admin@admin_domain credentials)

$ openstack domain create test_policy
$ openstack user create --domain test_policy --password ubuntu test_math
$ openstack role add --user test_math --user-domain test_policy --domain test_policy Admin

(source the new user in a separate shell)

$ openstack project create test-matt
[...]
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-xxxx)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2109989

Title:
  domain admin cannot create new projects

Status in OpenStack Identity (keystone):
  New

Bug description:
  
  Openstack caracal on jammy

  Steps to reproduce:

  - While logged in as admin@admin_domain via CLI, create a new domain -- local authentication is fine
  - While logged in as admin@admin_domain via CLI, create a new user in that domain
  - While logged in as admin@admin_domain via CLI, add the role Admin to that new user in that new domain (the domain itself, not a project)

  Now:

  - Login to the new user and domain via horizon and try to create a new project -- it works
  - Login to the new user and domain via CLI and try to create a new project -- it fails

  It was expected that the CLI would also work.

  We noticed that horizon and keystone are not using the exact same
  policy.json and there are differences that may be significant.

  ---

  More details:

  (source the admin@admin_domain credentials)

  $ openstack domain create test_policy
  $ openstack user create --domain test_policy --password ubuntu test_math
  $ openstack role add --user test_math --user-domain test_policy --domain test_policy Admin

  (source the new user in a separate shell)

  $ openstack project create test-matt
  [...]
  keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-xxxx)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2109989/+subscriptions