OpenStack Identity (keystone)

list_user_projects() can't get filtered by 'domain_id'.

Bug #1454531 reported by DWang on 2015-05-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Sean Perry	OpenStack Identity (keystone) mitaka-rc1 "RC1"

Bug Description

Here is our use case, we want our tenant domain admin(e.g., Bob) to have this capability: Bob(domain-scoped) can list the projects that one user has roles on, and the projects Bob get should only belong to Bob's scoping domain.

When we read the rule in policy.v3cloudsample.json for "identity:list_user_projects", we are happy it's the same as what we want:
{...
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
...}

I thought we could use this API with query string 'domain_id', thus Bob can and only can query projects in his scoping domain, but it doesn't work, since the @controller.filterprotected('enabled', 'name') for list_user_projects() exclude the possibility of taking 'domain_id' as a query string even it's useful to us and recorded in the policy file.

DWang (darren-wang) on 2015-05-13

Changed in keystone:
assignee:	nobody → DWang (darren-wang)

DWang (darren-wang) on 2015-05-13

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/182569

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-05-13:

The list of query parameters should also be revised here:

https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#list-user-projects

Changed in keystone:
importance:	Undecided → Wishlist

Revision history for this message

DWang (darren-wang) wrote on 2015-05-13:

Thanks Dolph, I'll work on it.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-14: Fix proposed to keystone-specs (master)

Fix proposed to branch: master
Review: https://review.openstack.org/182915

OpenStack Infra (hudson-openstack) on 2015-10-21

Changed in keystone:
assignee:	DWang (darren-wang) → Raildo Mascena de Sousa Filho (raildo)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-15: Fix merged to keystone-specs (master)

Reviewed: https://review.openstack.org/182915
Committed: https://git.openstack.org/cgit/openstack/keystone-specs/commit/?id=5667c86d57d1408dcba018583677b3de30e94b01
Submitter: Jenkins
Branch: master

commit 5667c86d57d1408dcba018583677b3de30e94b01
Author: darren-wang <email address hidden>
Date: Thu May 14 09:51:34 2015 +0800

Adding 'domain_id' filter to list_user_projects().

Change-Id: I12aef27f7de6e695aa7bb882f68935649e1e360b
Closes-Bug: #1454531

Changed in keystone:
status:	In Progress → Fix Committed

Steve Martinelli (stevemar) on 2015-12-01

Changed in keystone:
milestone:	none → mitaka-1

Doug Hellmann (doug-hellmann) on 2015-12-03

Changed in keystone:
status:	Fix Committed → Fix Released

Revision history for this message

Dave Chen (wei-d-chen) wrote on 2016-03-02:

actually, this bug is not fixed yet, the patch that is merged is just a change in API spec, the patch to implement this is here.
https://review.openstack.org/#/c/182569/

Changed in keystone:
milestone:	mitaka-1 → mitaka-rc1

David Stanek (dstanek) on 2016-03-03

Changed in keystone:
status:	Fix Released → In Progress

OpenStack Infra (hudson-openstack) on 2016-03-03

Changed in keystone:
assignee:	Raildo Mascena de Sousa Filho (raildo) → Sean Perry (sean-perry-a)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-08: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/182569
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=3425c1fffe9cb40c759ccec516483e06225d65cd
Submitter: Jenkins
Branch: master

commit 3425c1fffe9cb40c759ccec516483e06225d65cd
Author: darren-wang <email address hidden>
Date: Wed May 13 16:28:52 2015 +0800

Adding 'domain_id' filter to list_user_projects()

Closes-Bug: #1454531
Change-Id: I01af5376505f49c3c7c1906b7bc9511adb114632

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-16: Fix included in openstack/keystone 9.0.0.0rc1

This issue was fixed in the openstack/keystone 9.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.