project name-to-id conversion failing for non-admin

Bug #1658189 reported by Matthew Edmonds on 2017-01-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
David Rabel

Bug Description

While attempting to create a role that is not allowed to list projects but is allowed to give role assignments within their project (essentially a project-specific administrator), I found that the following commands all fail because they are unable to find projA:

`openstack role add –user jim –project projA member`
`openstack role add –user jim –project projA member`
`openstack role assignment list –project projA`

This is because the admin role is required to list projects, and the current implementation is attempting to list projects to convert the project name to an id, which is required for the API call these commands depend on.

We have already addressed similar issues under the following bugs (such that something like `openstack project show projA` does work for the role I'm trying to create).

The same kind of solution should work here... I.e., use the project id from the token data if the project name from the token data matches the requested project name.

Dean Troyer (dtroyer) on 2017-02-02
Changed in python-openstackclient:
status: New → Confirmed
importance: Undecided → Medium
David Rabel (rabel-b1) wrote :

I think to fix this in "role add" or "role remove" does not make too much sense. There is also a call to /users?name=jim , which cannot be done as non-admin either. So this wouldn't really help.

I will provide a patch proposal for role assignment list later.

Changed in python-openstackclient:
assignee: nobody → David Rabel (rabel-b1)

Fix proposed to branch: master

Changed in python-openstackclient:
status: Confirmed → In Progress

Submitter: Jenkins
Branch: master

commit 0ad6b6b2e0b26ebc93a99730bcc414bf8e091759
Author: David Rabel <email address hidden>
Date: Mon May 15 18:11:37 2017 +0200

    Use _get_token_resource in role assignment list

    If project matches the project from access token,
    we do not have to send an API request to /projects?name=...,
    because the project ID is already known.
    This API request may require additional permissions, so
    we want to avoid it, if possible.

    Change-Id: Ice1af8686bceea6b67229dcab7cf82eef821163e
    Closes-Bug: #1658189

Changed in python-openstackclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/python-openstackclient 3.12.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers