python-openstackclient

Domain show command should not use require list domains

Bug #1384371 reported by Nathan Kinder
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-openstackclient
Invalid
Undecided
Unassigned

Bug Description

Similar to bug 1378565, a 'domain show' command attempts to look up the specified domain by doing a 'domain list' behind the scenes. A user who is allowed to show their domain (such as the admin of a domain) might not be allowed to list all domains. In this case, the user will encounter a 403. There are proposed changes to make this the normal v3 policy for Keystone:

  https://bugs.launchpad.net/keystone/+bug/1384365

We should allow a 'domain show' to work without attempting to list the domains

Revision history for this message
Nathan Kinder (nkinder) wrote :

Actually, this is working properly if a domain id is specified (versus a name). Closing as invalid.

Changed in python-openstackclient:
status: New → Invalid
Revision history for this message
Nathan Kinder (nkinder) wrote :

Here are details showing that this is working correctly:

[rhosuser@rhos ~(keystone_ipa_admin)]$ openstack domain show 038945faee6b4b0e8cc9f50d3e83013e
+-------------+----------------------------------+
| Field | Value |
 +-------------+----------------------------------+
| description | ipa |
| enabled | True |
| id | 038945faee6b4b0e8cc9f50d3e83013e |
| name | ipa |
 +-------------+----------------------------------+
[rhosuser@rhos ~(keystone_ipa_admin)]$ openstack domain show ipa
ERROR: openstack You are not authorized to perform the requested action: identity:list_domains (HTTP 403)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.