Activity log for bug #1989637

Date Who What changed Old value New value Message
2022-09-15 01:48:20 Linda Guo bug added bug
2022-09-15 01:50:35 Linda Guo description By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug >> neutron-api override policy "admin_required": "role:admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s" "get_quota": "rule: admin_and_matching_domain_id" "update_quota": "rule: admin_and_matching_domain_id" "delete_quota": "rule: admin_and_matching_domain_id" 'openstack quota set' returned error: $ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6 HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy $ openstack role assignment list --names --user test-user +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ | member | test-user@admin_domain | | test-project@admin_domain | | | False | | Admin | test-user@admin_domain | | | admin_domain | | False | +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug >> neutron-api override policy "admin_required": "role:admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s" "get_quota": "rule: admin_and_matching_domain_id" "update_quota": "rule: admin_and_matching_domain_id" "delete_quota": "rule: admin_and_matching_domain_id" >>'openstack quota set' returned error: $ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6 HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy >>user role assignment $ openstack role assignment list --names --user test-user +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +--------+------------------------+-------+---------------------------+--------------+--------+-----------+ | member | test-user@admin_domain | | test-project@admin_domain | | | False | | Admin | test-user@admin_domain | | | admin_domain | | False | +--------+------------------------+-------+---------------------------+--------------+--------+-----------+