inconsistent results for user show of yourself as a non-admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-openstackclient |
Fix Released
|
Medium
|
David Rosales |
Bug Description
when using non-admin credentials, openstack user show works if you specify a user id:
# openstack user show 631bbab78e33e55
+------
| Field | Value |
+------
| domain_id | default |
| id | 631bbab78e33e55
| name | arc1_dep |
+------
but fails if you specify a user name and domain name:
# openstack user show --domain Default arc1_dep
ERROR: openstack You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-6e3ab4fc-
This is because when you specify user id, openstackclient can make a GET /v3/users/{user_id} call, which policy allows for non-admins as long as the user_id matches their token, but if you specify the name openstackclient can't make that call because it doesn't know the user_id, so it makes a GET /v3/users call instead, which policy only allows for admins.
I think we could fix this by pulling the user_id from the token if/when the user and domain names specified on the openstack user show invocation match the user and domain names of the token, and using that to make the GET /v3/users/{user_id} call instead of relying on GET/v3/users. We would still have to rely on GET /v3/users as today when the names don't match, of course... and it would be right to return a 403 forbidden error when the names don't match, so that's fine.
Changed in python-openstackclient: | |
assignee: | nobody → AMIT KUMAR (maurya0092) |
Changed in python-openstackclient: | |
assignee: | AMIT KUMAR (maurya0092) → David Rosales (darosale) |
Changed in python-openstackclient: | |
importance: | Undecided → Medium |
The same issue (and possible solution) also applies to projects