yahoo-eng-team team mailing list archive

[Howard Johnson <2116750@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

When a project admin attempts to either create a user with the 'member'
role or assign the 'member' role to a user, the following from
/etc/keystone/policy.yaml is not allowing this to happen...

# Only allow users with the admin role to assign the 'member' role
"identity:create_grant": "role:admin and target.role.name:member"

Instead the following error is returned:

Jul 11 15:24:08 infra01 httpd[1485318]: [wsgi:error] [pid 1485318:tid
1485405] [remote xx.xxx.xx.xx:52600] Recoverable error: You are not
authorized to perform the requested action: identity:create_grant. (HTTP
403) (Request-ID: req-33603d33-c386-49df-8901-59f718ae8559)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2116750

Title:
  This does not work as expected with keystone 24.0.0.  The 'admin' user
  of the project cannot assign the 'member' role to a user.

Status in OpenStack Identity (keystone):
  New

Bug description:
  When a project admin attempts to either create a user with the
  'member' role or assign the 'member' role to a user, the following
  from /etc/keystone/policy.yaml is not allowing this to happen...

  # Only allow users with the admin role to assign the 'member' role
  "identity:create_grant": "role:admin and target.role.name:member"

  Instead the following error is returned:

  Jul 11 15:24:08 infra01 httpd[1485318]: [wsgi:error] [pid 1485318:tid
  1485405] [remote xx.xxx.xx.xx:52600] Recoverable error: You are not
  authorized to perform the requested action: identity:create_grant.
  (HTTP 403) (Request-ID: req-33603d33-c386-49df-8901-59f718ae8559)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2116750/+subscriptions