can't list own projects unless admin

Bug #1627555 reported by Adrian Turjak
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Undecided
Adrian Turjak

Bug Description

"openstack project list" defaults to listing all projects, if you are not admin this falls over.

If you just want your project list, you can attempt:
"openstack project list --user <my_username/my_id>"

This will also fail because up until Newton getting your own user required admin. Project list always does a find_resource when given a user filter, which even if you give it a valid userid, it has to fetch the user object from keystone.

As such attempting to get your own project list (a valid and important action) is impossible with the openstack client for anyone running default keystone policy files from anything before Newton.

An easy and sensible solution is to make "openstack project list" still default to all projects, but on a forbidden response, return your own user list. This option is simple, good UX, and actually makes the project list command useful for non-admins. Another option that isn't as nice UX is to add a --auth-user option.

See thread here for discussion and further reading:
http://lists.openstack.org/pipermail/openstack-dev/2016-September/104155.html

description: updated
Revision history for this message
Adrian Turjak (adriant-y) wrote :

Not sure why it isn't automatically being listed, but:

Addressed by: https://review.openstack.org/#/c/376056/

Changed in python-openstackclient:
assignee: nobody → Adrian Turjak (adriant-y)
Changed in python-openstackclient:
status: New → In Progress
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/376056
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=49f6032b699804b1b0ed56137ab14ba266251157
Submitter: Jenkins
Branch: master

commit 49f6032b699804b1b0ed56137ab14ba266251157
Author: adrian-turjak <email address hidden>
Date: Mon Sep 26 13:06:42 2016 +1300

    Non-Admin can't list own projects

    Due to a default Keystone policy until Newtown,
    and the use of resource_find, non-admins are unable
    to list their own projects.

    This patch bypasses this problem while also introducing better
    UX for non-admins wishing to get their project list.

    'openstack project list' retains the default of 'list all projects'
    but on a forbidden error will default instead to 'list my projects'.
    This way for non-admins 'list my projects' feels like the default
    without breaking the expected admin default.

    Adding the '--my-projects' option allows admins to easily list their
    own projects or allows non-admins to be explicit and bypass the
    forbidden error fallback.

    Change-Id: I1021276f69fbbf28e13e17c4e567d932fce7ed8b
    Closes-Bug: #1627555

Changed in python-openstackclient:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-openstackclient 3.10.0

This issue was fixed in the openstack/python-openstackclient 3.10.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.