python-openstackclient

domain admin can't create project using CLI interface

Bug #1317478 reported by Yaguang Tang on 2014-05-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-openstackclient	Fix Released	Medium	Terry Howe	python-openstackclient m5 "boron"

Bug Description

with domain admin credentials

azureuser@devstack:~$ openstack project create project1 --domain 16c14541fbb04e9fbfc358d98e0e4535
INFO: urllib3.connectionpool Starting new HTTP connection (1): localhost
INFO: urllib3.connectionpool Starting new HTTP connection (1): 172.16.0.5
ERROR: cliff.app You are not authorized to perform the requested action, identity:get_domain. (HTTP 403)

openstackclient try to verify every option before sending request to keystone API. but it's not capable for some api calls.
in this case, a domain isn't able to get domain info.

Terry Howe (thowe-g) on 2014-05-30

Changed in python-openstackclient:
assignee:	nobody → Terry Howe (thowe-g)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-30: Fix proposed to python-openstackclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/96836

Dean Troyer (dtroyer) on 2014-06-20

Changed in python-openstackclient:
importance:	Undecided → Medium
milestone:	none → m5

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-06-25:

It's not really clear to me why it's openstackclient's fault that a "domain admin" would get a 403 - a "domain admin" is a deployment/policy.json dependent concept in keystone, and it's keystone raising the 403. Can you summarize what openstackclient is doing wrong?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-09: Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/96836
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=b6384886973c652c0161a9caeac6f31066edace1
Submitter: Jenkins
Branch: master

commit b6384886973c652c0161a9caeac6f31066edace1
Author: Terry Howe <email address hidden>
Date: Fri May 30 10:38:20 2014 -0600

Domain administrator cannot do project operations

    Domain administrator cannot do project operations because the
    require access to the domain API (which they don't have). When
    attempting to find a domain for project operations, ignore errors
    because the API returns nothing without indicating there is a
    problem. The domain administrators will have to use a domain id,
    but they will still be able to do project operations. If the user
    does not have permission to read the domain table, they cannot
    use domain names.

    Change-Id: Ieed5d420022a407c8296a0bb3569d9469c89d752
    Closes-Bug: #1317478
    Closes-Bug: #1317485

Changed in python-openstackclient:
status:	In Progress → Fix Committed

Dean Troyer (dtroyer) on 2014-09-09

Changed in python-openstackclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.