Admin cannot show/set quotas in projects where they are not a member or in hierarchy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Undecided
|
Nate Potter | ||
Bug Description
Per the ML thread [1] and IRC conversation the cinder team asked me to file this bug.
After upgrading Keystone from Liberty to Mitaka, we can no longer show or modify cinder quotas as admin unless have a token scoped to the project we're modifying. This is a new limitation and causes a number of operational challenges when using the CLI or Horizon. Now we'll have to add ourselves to every project in which we want to change or even view cinder quotas. For non-admin users this might make sense, but not for admin users.
This is the specific error:
ERROR: Show operations can only be made to projects in the same hierarchy of the project in which users are scoped to. (HTTP 403)
more details:
On Liberty Keystone, projects seem to lack parents:
<Project description=Admin Tenant, domain_id=default, enabled=True,
id=9e839870dd0d
https:/
name=admin, parent_id=None, subtree=None>
In Mitaka, it seems that projects are children of the default domain:
<Project description=Admin Tenant, domain_id=default, enabled=True,
id=4764ba822ecb
http://
name=admin, parent_id=default, subtree=None>
In Liberty since all projects were parentless, the authorize_* code blocks
were skipped since both conditionals were false:
https:/
But now in Mitaka, the code is run, and it fails out since the projects are
"brothers", both with the parent of the default domain, but not
hierarchically related.
When this is fixed if possible a backport to Mitaka would be very helpful.
[1] - http://
summary: |
- Admin cannot show/set quotas in projects where they are not a member + Admin cannot show/set quotas in projects where they are not a member or + in hierarchy |
Changed in cinder: | |
assignee: | nobody → Nate Potter (ntpttr) |
Fix proposed to branch: master /review. openstack. org/335634
Review: https:/