Reviewed: https://review.openstack.org/248892 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=7f3158a6d4b5df78dfde9f281cf82dd6e4fe02f4 Submitter: Jenkins Branch: master
commit 7f3158a6d4b5df78dfde9f281cf82dd6e4fe02f4 Author: Priti Desai <[email protected]> Date: Mon Nov 23 11:59:07 2015 -0800 Fix for GET project by project admin The issue is project admin in default policy file (policy.v3cloudsample.json) does not have access to get details of his project. This change updates the default policy file to let project administrators to retrieve their own project details. Change-Id: I60995db12a90c8ce6090099dee79ed1e5ee5caed Closes-Bug: 1418702 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1418702 Title: Project admin fails to list role assignments for his project with Project Scoped Token Status in OpenStack Identity (keystone): Fix Released Bug description: I am facing issues listing role assignments as project administrator with project scoped token. OS_AUTH_URL=http://10.0.2.15:35357/v3 OS_USERNAME=user-a OS_PASSWORD=password OS_USER_DOMAIN_NAME=domain-a OS_PROJECT_NAME=project-a OS_PROJECT_DOMAIN_NAME=domain-a OS_IDENTITY_API_VERSION=3 $ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) (HTTP 403) Log messages from Keystone log file: [Thu Feb 05 19:16:00 2015] [error] Rule Method [Thu Feb 05 19:16:00 2015] [error] (rule:cloud_admin or rule:admin_and_matching_target_project_domain_id) [Thu Feb 05 19:16:00 2015] [error] Rule [Thu Feb 05 19:16:00 2015] [error] identity:get_project [Thu Feb 05 19:16:00 2015] [error] Target [Thu Feb 05 19:16:00 2015] [error] {'target.project.name': u'project-a', 'target.project.description': u'', 'target.project.enabled': True, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'target.project.domain_id': u'b5da5584e14148f7a305e0f22a9b3a2c', 'target.project.id': u'7c305333795944e48b54874c911c1c2b'} [Thu Feb 05 19:16:00 2015] [error] Creds [Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb86801f80>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None} [Thu Feb 05 19:16:00 2015] [error] self [Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb862d1090> [Thu Feb 05 19:16:00 2015] [error] 19584 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:get_project (Disable debug mode to suppress these details.) .... [Thu Feb 05 19:16:00 2015] [error] ***Rule Method [Thu Feb 05 19:16:00 2015] [error] ((rule:admin_required and domain_id:%(domain_id)s) or rule:cloud_admin) [Thu Feb 05 19:16:00 2015] [error] ***Rule [Thu Feb 05 19:16:00 2015] [error] identity:list_projects [Thu Feb 05 19:16:00 2015] [error] ***Target [Thu Feb 05 19:16:00 2015] [error] {'name': u'7c305333795944e48b54874c911c1c2b'} [Thu Feb 05 19:16:00 2015] [error] ***Creds [Thu Feb 05 19:16:00 2015] [error] {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'77194b22fb6e4ac2839c1d93c46e82fd', 'roles': [u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=M1_Jt5l9QteNWLSFSvMqPQ, audit_chain_id=M1_Jt5l9QteNWLSFSvMqPQ) at 0x7fbb867b92b0>, 'project_id': u'7c305333795944e48b54874c911c1c2b', 'trust_id': None} [Thu Feb 05 19:16:00 2015] [error] self [Thu Feb 05 19:16:00 2015] [error] <keystone.openstack.common.policy.Enforcer object at 0x7fbb86742f90> [Thu Feb 05 19:16:00 2015] [error] 19586 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) The issue is project admin in default policy file (policy.v3cloudsample.json) does not have access to get details of his project. Due to this, keystone assumes that the project does not exist, and tries to get the project listing which again fails. I updated default policy file and letting project administrators get the project details. Updating: "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id”, To: "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id", "admin_and_matching_target_project_id": "rule:admin_required and project_id:%(target.project.id)s”, With this change: $ openstack role assignment list --project=7c305333795944e48b54874c911c1c2b +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | Role | User | Group | Project | Domain | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ | 2a736f40308b4486b8006d09a8213620 | 77194b22fb6e4ac2839c1d93c46e82fd | | 7c305333795944e48b54874c911c1c2b | | +----------------------------------+----------------------------------+-------+----------------------------------+--------+ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1418702/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
