project-list command does not work for a user with admin role on domain

I was unable to reproduce on the latest release (Pike). Created a new user and added the 'admin' role for it for domain default. I then got a domain scoped token and with that I was able to list all projects, projects on the domain, and projects on other domains. Looks like since moving to policy in code in Pike we default to the 'ADMIN_REQUIRED' rule for listing projects, so it doesn't matter what you are scoped to as long as you have the admin role[0].

I then updated the policy.json to match yours. I was able to list user's projects and the projects in the domain I was scoped to, but not in other domains[1]. This was again in Pike, I don't have a Newton or Ocata environment in hand right now, but I would recommend you to update since Newton is now EOL and unsupported[2].

[0]. https://github.com/openstack/keystone/blob/stable/pike/keystone/common/policies/project.py#L24-L29
[1]. http://paste.openstack.org/show/626534/
[2]. https://releases.openstack.org

Thanks for your investigation, Kristi.

My aim is to be able to get domain's (not default) projects list with a user who has admin role on that domain.
I have domain "domain-a" and 2 projects belonging to it domain-a, project-1 and project-2, and also a user domain-a-user with admin role on domain-a.

As I understood, in PIKE, using the domain-a-user, "openstack project list --domain domain-a" is working while the policy states:

"admin_required": "role:admin"
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id"

Is that true?

In my Newton RDO, it's not working.
So was it a bug in Newton which was fixed in Ocata or Pike?

Thank you

Can't reproduce on master branch as well. I guess it has been fixed already.

I was able to reproduce the issue with Pike release using provided policy.v3cloudsample.json.

You can't list projects with a domain admin using a domain scoped token. (identity:list_projects policy fails)

Same with show user with a domain admin using a domain scoped token. (identity:get_user policy fails)

There is also a similar issue with the "identity:list_user_projects" policy where you can't perform the action even with a cloud admin.

So I suspect there are at least 2 bugs:
* domain_id policy check is buggy. This means the whole concept of domain admin is broken when policy.v3cloudsample.json is used.
* Some policies are missing rule:cloud_admin. This means a cloud admin cannot perform some actions, limiting the purpose and power of the cloud admin.

Thanks for your input Mathieu. So there are issues that should be handled.
I found some other issue here https://bugs.launchpad.net/keystone/+bug/1734117

FYI:
the policy for list_projects in code is "rule:admin_required"
but in the sample file, it is "rule:cloud_admin or rule:admin_and_matching_domain_id"

For context, the policy.v3cloudsample.json file [0] was introduced as a way to get around some of the issues we have with admin-ness (see bug 968696). Until we actually fix some of those admin-ness issues with system-scope and deprecate the policies in code, we'll likely have a differences between what is in policy.v3cloudsample.json and what is in code.

[0] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Fix proposed to branch: master
Review: https://review.openstack.org/573365

I think this is covered by https://bugs.launchpad.net/keystone/+bug/1750660 and the default project policies now account for domain scope.

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/573365
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.