OpenStack Identity (keystone)

Cannot list project role assignments as domain admin

Bug #1805165 reported by Boris Bobrov on 2018-11-26

This bug report is a duplicate of: Bug #1750673: The v3 role assignment API should account for different scopes. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

As domain admin, i would like to list role assignments on projects of my domain. The default v3 policies are:

"admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s",
"admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s",
"identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter",

I expected that adding a new rule like

"admin_on_project_domain_filter": "rule:admin_required and project_id:%(scope.project.domain.id)s",

would work, but it did not.

I ran into this bug on Newton, but according to the code it seems to be present in Rocky. I am not sure about current master.

The attached patch is how i fixed it for Newton.

See original description

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2018-11-26:

policies.patch Edit (1.4 KiB, text/plain)

Boris Bobrov (bbobrov) on 2018-11-26

description:

updated

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2019-01-22:

Hey Boris!

Thanks for the bug report. I think this might actually be a duplicate of bug 1750673. Looks like there is a fix in flight that isn't specific to domain users, too.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1750673 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

policies.patch Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.