python-openstackclient

CLI doesn't provide possibility to point query string v3

Bug #1274343 reported by Sergii Kashaba
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Low
Unassigned

Bug Description

I tried to run few commands with the keystone setup for V3 API.
Setup description:
0. Havana release.
1. http://127.0.0.1:35357/v3 and http://127.0.0.1:5000/v3 as an endpoints for identity service
2. https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json as a policy.json for keystone
3. Created domain 'example'
4. Created project 'example_project' in 'example' domain
4. Added user 'example_admin' and assigned him with an admin for 'example' domain

Using recent fix for https://bugs.launchpad.net/python-openstackclient/+bug/1198171 I was able to get token with a domain level scope, but it's still impossible to run project list and user list commands.

The reason is that the only way to run those commands is to put '?domain_id=XXXXXXXXXXXXX' to the URL. There is no such an option for these operations.
Could we add parameter to specify query string to be used for final CURL?
Also this can be more general issue considering the search mechanism used when you pass project/user names instead uuids.

Steps:
CLI commands that was run in order to prepare an environmen:
#create domain
openstack --os-identity-api-version 3 --os-url http://127.0.0.1:35357/v3 --os-token XXXX domain create example
#here I create user in a default domain. Because an LDAP is using as a source for auth
openstack --os-identity-api-version 3 --os-url http://127.0.0.1:35357/v3 --os-token XXXX user create --password qwerty example_admin
openstack --os-identity-api-version 3 --os-url http://127.0.0.1:35357/v3 --os-token XXXX project create --domain example example_project
And finally try to get project list
openstack -vvv --debug --os-identity-api-version 3 --os-domain-name example --os-username example_admin --os-user-domain-name default --os-password qwerty project list
>>Forbidden: You are not authorized to perform the requested action, identity:list_projects.
#and finally the curl to get it using the token from the previous output
curl -s -H "X-Auth-Token: 0a60cdb2110f46258e6b021ede1bb781" http://127.0.0.1:5000/v3/projects?domain_id=dc1f1ef2055c41de8eacd4cdc4fa10e5

See original description
Sergii Kashaba (skashaba)
description: updated
description: updated
Dean Troyer (dtroyer)
Changed in python-openstackclient:
status: New → Triaged
importance: Undecided → Medium
Terry Howe (thowe-g)
summary: - CLI doesn't provide possibility to point query string
+ CLI doesn't provide possibility to point query string v3
Revision history for this message
Steve Martinelli (stevemar) wrote :

Isn't this caused by the admin_example not having a role on admin_project? More specifically, an admin role on the project?

keystoneclient should handle the url formation / query adding.

Revision history for this message
Sergii Kashaba (skashaba) wrote :

To Steve Martinelli (stevemar)
I would say that issue is not with the missed role. I was able to run project list using curl, adding query string
curl -s -H "X-Auth-Token: 0a60cdb2110f46258e6b021ede1bb781" http://127.0.0.1:5000/v3/projects?domain_id=dc1f1ef2055c41de8eacd4cdc4fa10e5.

Revision history for this message
Dean Troyer (dtroyer) wrote :

Is this still an issue? The proposed solution is not a solution, but there may still be a kink in the v3 auth arguments.

Changed in python-openstackclient:
status: Triaged → Incomplete
importance: Medium → Low
Revision history for this message
Sergii Kashaba (skashaba) wrote :

It is already fixed in openstack and keystone client.

Changed in python-openstackclient:
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.