policy.v3cloudsample.json doesn't allow domain admin list role assignments on project
Bug #1630434 reported by
John Lin
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
My OpenStack version is Mitaka.
With an admin domain-scoped token, a domain admin cannot list role assignments on the project in the domain. The error messages are:
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action: identity:
"title": "Forbidden"
}
}
I am currently using a workaround: adding include_
Changed in keystone: | |
assignee: | nobody → guoshan (guoshan) |
Changed in keystone: | |
assignee: | guoshan (guoshan) → nobody |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Triaged → In Progress |
To post a comment you must log in.
It looks like the list role assignments call is protected by the following rule [0]:
"rule:cloud_admin or rule:admin_ on_domain_ filter or rule:admin_ on_project_ filter"
Even the admin_on_ domain_ filter rule requires the user to have the admin role. Can you verify the domain admin actually has the admin role specified?
[0] https:/ /github. com/openstack/ keystone/ blob/856bd73826 d36731c611b6479 d204816cde0b2e9 /etc/policy. v3cloudsample. json#L123