Here is our use case, we want our tenant domain admin(e.g., Bob) to have this capability: Bob(domain-scoped) can list the projects that one user has roles on, and the projects Bob get should only belong to Bob's scoping domain.
When we read the rule in policy.v3cloudsample.json for "identity:list_user_projects", we are happy it's the same as what we want:
{...
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
...}
I thought we could use this API with query string 'domain_id', thus Bob can and only can query projects in his scoping domain, but it doesn't work, since the @controller.filterprotected('enabled', 'name') for list_user_projects() exclude the possibility of taking 'domain_id' as a query string even it's useful to us and recorded in the policy file.
Fix proposed to branch: master /review. openstack. org/182569
Review: https:/