OpenStack Identity (keystone)

  1. Bug #1610166
  2. Activity log

Activity log for bug #1610166

Date Who What changed Old value New value Message
2016-08-05 10:14:17 John Lin bug added bug
2016-08-05 10:20:40 John Lin description Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The last command will generate the 403 error. The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
2016-08-05 10:20:49 John Lin description Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The last command will generate the 403 error. The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions work as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The last command will generate the 403 error. The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
2016-08-05 10:21:45 John Lin description Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions work as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The last command will generate the 403 error. The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions work as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The last command will generate the 403 error. The rule for "identity:list_users_in_group" is "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id". I can successfully list group members if I changed it to "rule:admin_required". But it's just a workaround. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
2016-08-08 08:32:05 John Lin marked as duplicate 1433402