python-openstackclient

Role operations should not require list object permission

Bug #1445528 reported by Nathan Kinder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Undecided
Unassigned
python-openstackclient m10 "neon"

Bug Description

When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments to their project as seen in these rules:

--------------------------------------------------------------------------------------------------------------------------------
    "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
    "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
    "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
--------------------------------------------------------------------------------------------------------------------------------

Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors like this:

--------------------------------------------------------------------------------------------------------------------------------
[rdouser@rdo ~(keystone_demo)]$ openstack role remove --project 59c60337d27844c28fd57c56032244a4 --user 70930f27da4773d35445228862f0a8f659f96c822feb54f6e6de802f8006a8cb _member_
ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (HTTP 403)
--------------------------------------------------------------------------------------------------------------------------------

We should be attempting to look up the object id by name, but we need to catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/174908
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=4c107e6f1b1913988e208b31206c84ab851b780c
Submitter: Jenkins
Branch: master

commit 4c107e6f1b1913988e208b31206c84ab851b780c
Author: Nathan Kinder <email address hidden>
Date: Thu Apr 16 19:12:45 2015 -0700

    Role operations should not require list object permission

    When using Keystone's policy.v3cloudsample.json policy file, a project admin is
    supposed to be able to manage role assignments. Unfortunately, a project admin
    isn't allowed to perform these operations using python-openstackclient, as we
    attempt to perform list operations for any of the object types specified (users,
    groups, projects). This is done in an attempt to lookup the id of the object by
    name, but we perform this list operation even when the user specifies everything
    by id. This causes 403 errors.

    This patch still attempts to look up the object id by name, but we catch the 403
    and assume that the user specified an id if the list operation is not allowed.
    This is similar to what we do with the --domain option for other commands.

    Closes-bug: #1445528
    Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8

Changed in python-openstackclient:
status: New → Fix Committed
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: none → m10
Dean Troyer (dtroyer)
Changed in python-openstackclient:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-openstackclient (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/180018

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on python-openstackclient (stable/kilo)

Change abandoned by Jamie Lennox (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/180018
Reason: not going into stable

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.