Public bug reported: Steps to reproduce: 1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body { "auth": { "identity": { "methods": ["password"], "password": { "user": {" "name": "admin", "domain": { "id": "default" }, "password": "adminpwd" } } }, "scope": { "project": { "name": "project_name", "domain": { "id": "default" } } } } }
2)Using token from step 1 (from header "X-Subject-Token") get the list of users (API: http://address:port/v3/users) with headers "Content-Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to list users Actual result: Admin with project-scoped can't list users - there is 401 HTTP code and following body of response { "error": { "message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized" } } But admin with domain-scoped can list users. In policy.json is following rule for list_users: "rule:admin_required" ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1503741 Title: Admin with project-scoped token unable to list of users (got 401 HTTP Code) Status in Keystone: New Bug description: Steps to reproduce: 1)Get project-scoped token for admin user (using API: http://address:port/v3/auth/tokens) with header "Content-Type: application/json" and body { "auth": { "identity": { "methods": ["password"], "password": { "user": {" "name": "admin", "domain": { "id": "default" }, "password": "adminpwd" } } }, "scope": { "project": { "name": "project_name", "domain": { "id": "default" } } } } } 2)Using token from step 1 (from header "X-Subject-Token") get the list of users (API: http://address:port/v3/users) with headers "Content- Type: application/json" and "X-Auth-Token: token_from_step_1" Expected result: Admin with project-scoped should be able to list users Actual result: Admin with project-scoped can't list users - there is 401 HTTP code and following body of response { "error": { "message": "The request you have made requires authentication. (Disable debug mode to suppress these details.)", "code": 401, "title": "Unauthorized" } } But admin with domain-scoped can list users. In policy.json is following rule for list_users: "rule:admin_required" To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1503741/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp