python-openstackclient

The '--domain' arg for identity commands should not require domain lookup

Bug #1378565 reported by Nathan Kinder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Fix Released
Undecided
Nathan Kinder
python-openstackclient m6 "carbon"

Bug Description

Performing a 'user list --domain <id>' requires list_domains, which a domain admin will not have. This results in a 403:

$ openstack --os-identity-api-version 3 --os-url http://127.0.0.1:35357/v3 --os-token <token> user list --domain <id>
ERROR: openstack You are not authorized to perform the requested action: identity:list_domains (Disable debug mode to suppress these details.) (HTTP 403)

You can see that a 'list_domains' is being used, which is likely there to allow looking up the domain id by name. If the domain is specified by ID, we should be able to use it to perform the user list, which works fine via curl:

  curl -i -H "X-Auth-Token: <token>" http://localhost:35357/v3/users?domain_id=<id>

We should attempt to look up the domain, but fall back to using the user-supplied domain argument as an ID if the lookup fails.

This same problem applies to the 'group list' command.

Nathan Kinder (nkinder)
summary: - The '--domain' arg for the 'user list' commandshould not require domain
+ The '--domain' arg for the 'user list' command should not require domain
lookup
Changed in python-openstackclient:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Revision history for this message
Nathan Kinder (nkinder) wrote : Re: The '--domain' arg for the 'user list' command should not require domain lookup

This also applies to listing projects.

Revision history for this message
Nathan Kinder (nkinder) wrote :

A patch has been proposed to fix this issue here:

  https://review.openstack.org/#/c/126754/

summary: - The '--domain' arg for the 'user list' command should not require domain
+ The '--domain' arg for identity commands should not require domain
lookup
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-openstackclient (master)

Reviewed: https://review.openstack.org/126754
Committed: https://git.openstack.org/cgit/openstack/python-openstackclient/commit/?id=f0c57e17c9a4b5bbe2f072a4eacefce3bcf30d45
Submitter: Jenkins
Branch: master

commit f0c57e17c9a4b5bbe2f072a4eacefce3bcf30d45
Author: Nathan Kinder <email address hidden>
Date: Tue Oct 7 16:30:56 2014 -0700

    Allow --domain to be used for identity commands without lookup

    Performing create, list, or set operations for users, groups, and projects
    with the --domain option attempts to look up the domain for name to ID
    conversion. In the case of an environment using Keystone domains, it is
    desired to allow a domain admin to perform these operations for objects in
    their domain without allowing them to list or show domains. The current
    behavior prevents the domain admin from performing these operations since
    they will be forbidden to perform the underlying list_domains operation.

    This patch makes the domain lookup error a soft failure, and falls back
    to using the passed in domain argument directly as a domain ID in the
    request that it sends to Keystone.

    Change-Id: I5139097f8cedc53693f6f71297518917ac72e50a
    Closes-Bug: #1378565

Changed in python-openstackclient:
status: In Progress → Fix Committed
Dean Troyer (dtroyer)
Changed in python-openstackclient:
milestone: none → m6
Dean Troyer (dtroyer)
Changed in python-openstackclient:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.