[Yahoo-eng-team] [Bug 1610166] Re: Cannot list group members with policy.v3cloudsample.json

Mon, 08 Aug 2016 01:41:36 -0700 

*** This bug is a duplicate of bug 1433402 ***
    https://bugs.launchpad.net/bugs/1433402

** This bug has been marked a duplicate of bug 1433402
   list users in group unauthorised with v3 policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1610166

Title:
  Cannot list group members with policy.v3cloudsample.json

Status in OpenStack Identity (keystone):
  New

Bug description:
  Version: Mitaka

  I updated my /etc/keystone/policy.json to policy.v3cloudsample.json
  [1]. Most functions work as expected.

  However, when I wanted to list members in a group as a domain admin,
  an error occurred: "You are not authorized to perform the requested
  action: identity:list_users_in_group (HTTP 403)"

  The reproduce steps are:

  As cloud admin:
  - openstack domain create taiwan # Assume the id of "taiwan" is 
"18eaa46db5324a129bac0cdbc48f9512"
  - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512
  - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret 
taiwan-president
  - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin
  As taiwan-president:
  - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous
  - openstack user create --domain $TAIWAN_DOMAIN_ID margaret
  - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain 
$TAIWAN_DOMAIN_ID indigenous margaret
  - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID

  The last command will generate the 403 error.

  The rule for "identity:list_users_in_group" is "rule:cloud_admin or
  rule:admin_and_matching_target_group_domain_id". I can successfully
  list group members if I changed it to "rule:admin_required". But it's
  just a workaround.

  I can reproduce this issue in devstack.

  [1]
  
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1610166/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to