When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments to their project as seen in these rules:
--------------------------------------------------------------------------------------------------------------------------------
"project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
"identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
"identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
--------------------------------------------------------------------------------------------------------------------------------
Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors like this:
--------------------------------------------------------------------------------------------------------------------------------
[rdouser@rdo ~(keystone_demo)]$ openstack role remove --project 59c60337d27844c28fd57c56032244a4 --user 70930f27da4773d35445228862f0a8f659f96c822feb54f6e6de802f8006a8cb _member_
ERROR: openstack You are not authorized to perform the requested action: identity:list_projects (HTTP 403)
--------------------------------------------------------------------------------------------------------------------------------
We should be attempting to look up the object id by name, but we need to catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands.
Reviewed: https:/ /review. openstack. org/174908 /git.openstack. org/cgit/ openstack/ python- openstackclient /commit/ ?id=4c107e6f1b1 913988e208b3120 6c84ab851b780c
Committed: https:/
Submitter: Jenkins
Branch: master
commit 4c107e6f1b19139 88e208b31206c84 ab851b780c
Author: Nathan Kinder <email address hidden>
Date: Thu Apr 16 19:12:45 2015 -0700
Role operations should not require list object permission
When using Keystone's policy. v3cloudsample. json policy file, a project admin is openstackclient , as we
supposed to be able to manage role assignments. Unfortunately, a project admin
isn't allowed to perform these operations using python-
attempt to perform list operations for any of the object types specified (users,
groups, projects). This is done in an attempt to lookup the id of the object by
name, but we perform this list operation even when the user specifies everything
by id. This causes 403 errors.
This patch still attempts to look up the object id by name, but we catch the 403
and assume that the user specified an id if the list operation is not allowed.
This is similar to what we do with the --domain option for other commands.
Closes-bug: #1445528 092d5a22ecd8ea0 1f572334ac8
Change-Id: Id95a8520e935c1