project-list command does not work for a user with admin role on domain

Bug #1732502 reported by Evgeny Fedoruk on 2017-11-15
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Boris Bobrov

Bug Description

I use identity v3.

I have a domain and two projects inside.
I also have a user in this domain who has admin role on the domain.

I do "openstack project list --domain <my domain uuid>"
and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)".

the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id".
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s".
the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works.

I tried also with admin role on both domain's projects. No success.

Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/

I also do the projects list request with domain-scoped token via openstack4j java library. same result.

Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...).
I did not try it by myself.

I use RDO NEWTON release.

Kristi Nikolla (knikolla) wrote :

I was unable to reproduce on the latest release (Pike). Created a new user and added the 'admin' role for it for domain default. I then got a domain scoped token and with that I was able to list all projects, projects on the domain, and projects on other domains. Looks like since moving to policy in code in Pike we default to the 'ADMIN_REQUIRED' rule for listing projects, so it doesn't matter what you are scoped to as long as you have the admin role[0].

I then updated the policy.json to match yours. I was able to list user's projects and the projects in the domain I was scoped to, but not in other domains[1]. This was again in Pike, I don't have a Newton or Ocata environment in hand right now, but I would recommend you to update since Newton is now EOL and unsupported[2].

[0]. https://github.com/openstack/keystone/blob/stable/pike/keystone/common/policies/project.py#L24-L29
[1]. http://paste.openstack.org/show/626534/
[2]. https://releases.openstack.org

Changed in keystone:
status: New → Incomplete
Evgeny Fedoruk (evgenyf) wrote :

Thanks for your investigation, Kristi.

My aim is to be able to get domain's (not default) projects list with a user who has admin role on that domain.
I have domain "domain-a" and 2 projects belonging to it domain-a, project-1 and project-2, and also a user domain-a-user with admin role on domain-a.

As I understood, in PIKE, using the domain-a-user, "openstack project list --domain domain-a" is working while the policy states:

"admin_required": "role:admin"
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"
"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id"

Is that true?

In my Newton RDO, it's not working.
So was it a bug in Newton which was fixed in Ocata or Pike?

Thank you

description: updated
Evgeny Fedoruk (evgenyf) on 2017-11-21
Changed in keystone:
status: Incomplete → New
wangxiyuan (wangxiyuan) wrote :

Can't reproduce on master branch as well. I guess it has been fixed already.

Mathieu Gagné (mgagne) wrote :

I was able to reproduce the issue with Pike release using provided policy.v3cloudsample.json.

You can't list projects with a domain admin using a domain scoped token. (identity:list_projects policy fails)

Same with show user with a domain admin using a domain scoped token. (identity:get_user policy fails)

There is also a similar issue with the "identity:list_user_projects" policy where you can't perform the action even with a cloud admin.

So I suspect there are at least 2 bugs:
* domain_id policy check is buggy. This means the whole concept of domain admin is broken when policy.v3cloudsample.json is used.
* Some policies are missing rule:cloud_admin. This means a cloud admin cannot perform some actions, limiting the purpose and power of the cloud admin.

Evgeny Fedoruk (evgenyf) wrote :

Thanks for your input Mathieu. So there are issues that should be handled.
I found some other issue here https://bugs.launchpad.net/keystone/+bug/1734117

tags: added: office-hours
Changed in keystone:
status: New → Confirmed
importance: Undecided → Medium
wangxiyuan (wangxiyuan) wrote :

FYI:
the policy for list_projects in code is "rule:admin_required"
but in the sample file, it is "rule:cloud_admin or rule:admin_and_matching_domain_id"

Lance Bragstad (lbragstad) wrote :

For context, the policy.v3cloudsample.json file [0] was introduced as a way to get around some of the issues we have with admin-ness (see bug 968696). Until we actually fix some of those admin-ness issues with system-scope and deprecate the policies in code, we'll likely have a differences between what is in policy.v3cloudsample.json and what is in code.

[0] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Fix proposed to branch: master
Review: https://review.openstack.org/573365

Changed in keystone:
assignee: nobody → Boris Bobrov (bbobrov)
status: Confirmed → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers