python-openstackclient

User cannot perform self operations with unscoped token

Bug #1637740 reported by Adam Young
This bug report is a duplicate of:  Bug #1627555: can't list own projects unless admin. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-keystoneclient
Invalid
Undecided
Unassigned
python-openstackclient
New
Undecided
Unassigned

Bug Description

$ cat ~/devel/openstack/trystack/keystone.rc
unset `env | awk -F= '/OS_/ {print $1}' | xargs`

export OS_PASSWORD={redacted}
export OS_USERNAME={redacted}
export OS_AUTH_URL=http://x86.trystack.org:5000

 . ~/devel/openstack/trystack/keystone.rc
openstack project list

Missing parameter(s):
Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name

 openstack user show
Missing parameter(s):
Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name

openstack user show $OS_USERNAME
Missing parameter(s):
Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name

Revision history for this message
Adam Young (ayoung) wrote :

this is what Horizon does:

curl -H "X-Auth-Token: $AUTH_TOKEN" -H "Content-type: application/json" $OS_AUTH_URL/v3/auth/projects

{"links": {"self": "http://x86.trystack.org:5000/v3/auth/projects", "previous": null, "next": null}, "projects": [{"is_domain": false, "description": "Auto created account", "links": {"self": "http://x86.trystack.org:5000/v3/projects/38db4610673545e58a99d7c0ea708174"}, "enabled": true, "id": "38db4610673545e58a99d7c0ea708174", "parent_id": null, "domain_id": "default", "name": "facebook665086733"}]}

In general, without a scoped token, keystone operations can only be performed against the AUTH_URL. Thus, the enumeration of user specific information must be under OS_AUTH_URL/v3/auth

Revision history for this message
Steve Martinelli (stevemar) wrote :

Part of this was fixed in https://github.com/openstack/python-openstackclient/commit/337d013c94378a4b3f0e8f90e4f5bd745448658f

And the other part is a dupe of https://bugs.launchpad.net/python-openstackclient/+bug/1627555

Not sure why it was filed against keystoneclient

Changed in python-keystoneclient:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.