OpenStack Neutron API Charm

quota set command doesn't work for a user with admin role on domain

Bug #1989637 reported by Linda Guo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Neutron API Charm
New
Undecided
Unassigned

Bug Description

By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug

>> neutron-api override policy
"admin_required": "role:admin",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"

"get_quota": "rule: admin_and_matching_domain_id"
"update_quota": "rule: admin_and_matching_domain_id"
"delete_quota": "rule: admin_and_matching_domain_id"

>>'openstack quota set' returned error:
$ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6
HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy

>>user role assignment
$ openstack role assignment list --names --user test-user
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| member | test-user@admin_domain | | test-project@admin_domain | | | False |
| Admin | test-user@admin_domain | | | admin_domain | | False |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+

See original description
Linda Guo (lihuiguo)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.