project-list command does not work for a user with admin role on domain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Medium
|
Boris Bobrov |
Bug Description
I use identity v3.
I have a domain and two projects inside.
I also have a user in this domain who has admin role on the domain.
I do "openstack project list --domain <my domain uuid>"
and get "You are not authorized to perform the requested action: identity:
the policy for identity:
"admin_
the issue is with domain_id probably, because once I remove it (e.g. "admin_
I tried also with admin role on both domain's projects. No success.
Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https:/
I also do the projects list request with domain-scoped token via openstack4j java library. same result.
Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?
I did not try it by myself.
I use RDO NEWTON release.
Changed in keystone: | |
status: | Incomplete → New |
tags: | added: office-hours |
Changed in keystone: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
I was unable to reproduce on the latest release (Pike). Created a new user and added the 'admin' role for it for domain default. I then got a domain scoped token and with that I was able to list all projects, projects on the domain, and projects on other domains. Looks like since moving to policy in code in Pike we default to the 'ADMIN_REQUIRED' rule for listing projects, so it doesn't matter what you are scoped to as long as you have the admin role[0].
I then updated the policy.json to match yours. I was able to list user's projects and the projects in the domain I was scoped to, but not in other domains[1]. This was again in Pike, I don't have a Newton or Ocata environment in hand right now, but I would recommend you to update since Newton is now EOL and unsupported[2].
[0]. https:/ /github. com/openstack/ keystone/ blob/stable/ pike/keystone/ common/ policies/ project. py#L24- L29 paste.openstack .org/show/ 626534/ /releases. openstack. org
[1]. http://
[2]. https:/