OpenStack Identity (keystone)

Domain admin can't view roles while it can mangage domain/project roles

Bug #2059780 reported by Takashi Kajinami on 2024-03-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	In Progress	Undecided	Takashi Kajinami

Bug Description

Currently when scope is enforced, domain admin is allowed to manage role assignments for project or domain but domain admin can't view roles

To allow domain admin to actually manipulate role assignments, keystone should allow domain admin to view roles.

See original description

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/914759

Changed in keystone:
status:	New → In Progress

Takashi Kajinami (kajinamit) on 2024-03-29

Changed in keystone:
assignee:	nobody → Takashi Kajinami (kajinamit)
description:	updated
description:	updated

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2024-04-10 (last edit on 2024-04-10):

Download full text (4.0 KiB)

Currently some resources in heat can't be created when
- enforce_new_default and enforce_scope are both True in keystone.
and
- dedicated domain (which is configured by stack_user_domain_id/name) is used for heat template-defined users

Heat attempts to create a user within the stack domain for notifications but the process to create the user fails because heat can't list roles with domain admin credential.

```
pr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource Traceback (most recent call last):
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 922, in _action_recorder
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 1034, in _do_action
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield from self.action_handler_task(action, args=handler_args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 976, in action_handler_task
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource handler_data = handler(*args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/openstack/heat/scaling_policy.py", line 127, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource super(AutoScalingPolicy, self).handle_create()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 30, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource self._create_user()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 44, in _create_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource user_id = self.keystone().create_stack_domain_user(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource stack_user_role = self.domain_admin_client.roles.list(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resour...

Currently some resources in heat can't be created when
 - enforce_new_default and enforce_scope are both True in keystone.
and
 - dedicated domain (which is configured by stack_user_domain_id/name) is used for heat template-defined users

Heat attempts to create a user within the stack domain for notifications but the process to create the user fails because heat can't list roles with domain admin credential.

```
pr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource Traceback (most recent call last):
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resource.py", line 922, in _action_recorder
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     yield
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resource.py", line 1034, in _do_action
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     yield from self.action_handler_task(action, args=handler_args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resource.py", line 976, in action_handler_task
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     handler_data = handler(*args)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resources/openstack/heat/scaling_policy.py", line 127, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     super(AutoScalingPolicy, self).handle_create()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 30, in handle_create
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     self._create_user()
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 44, in _create_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     user_id = self.keystone().create_stack_domain_user(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     stack_user_role = self.domain_admin_client.roles.list(
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/roles.py", line 203, in list
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     return super(RoleManager, self).list(**kwargs)
...
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource   File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, in request
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource     raise exceptions.from_response(resp, method, url)
Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_roles. (HTTP 403) (Request-ID: req-788fee8a-55e0-4070-921f-8558c2939b48)
```

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.