Open Stack

Hi Eugen,

I have no problem with the cloud admin, so I guess your workaround doesn't
work for me. What disturbing me is the unexpected behavior of the domain
admin.

John

Eugen Block <eblock at nde.ag> 於 2016年8月4日 週四 下午3:34寫道：

> Hi,
>
> I had a similar issue recently [1], I had to adjust my policy file
> because for some reason "domain_id:default" was not applied, instead I
> use "user_domain_id:default" which works fine now.
>
> ---cut here---
> control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json
>      "cloud_admin": "rule:admin_required and (domain_id:default or
> user_domain_id:default)",
> ---cut here---
>
> And I added it as an OR statement as a workaround to keep the original
> statement. Hope this helps!
>
> Regards,
> Eugen
>
> [1] http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
>
>
> Zitat von 林自均 <johnlinp at gmail.com>:
>
> > Hi all,
> >
> > My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
> > policy.v3cloudsample.json
> > <
> https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
> >.
> > Most functions works as expected.
> >
> > However, when I wanted to list members in a group as a domain admin, an
> > error occurred: “You are not authorized to perform the requested action:
> > identity:list_users_in_group (HTTP 403)”.
> >
> > The reproduce steps are:
> >
> >    - As cloud admin:
> >       - openstack domain create taiwan
> >       - openstack user create --domain taiwan --password 5ecret
> >       taiwan-president
> >       - openstack role add --user taiwan-president --domain taiwan admin
> >    - As taiwan-president:
> >       - openstack group create --domain taiwan indigenous
> >       - openstack user create --domain taiwan margaret
> >       - openstack group add user --group-domain taiwan indigenous
> margaret
> >       - openstack user list --group indigenous --domain taiwan
> >
> > The last command will generate the 403 error.
> >
> > The rule for identity:list_users_in_group is rule:cloud_admin or
> > rule:admin_and_matching_target_group_domain_id. I can successfully list
> > group members if I changed it to rule:admin_required.
> >
> > Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
> > the help.
> >
> > John
> > ​
>
>
>
> --
> Eugen Block                             voice   : +49-40-559 51 75
> NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
> Postfach 61 03 15
> D-22423 Hamburg                         e-mail  : eblock at nde.ag
>
>          Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>            Sitz und Registergericht: Hamburg, HRB 90934
>                    Vorstand: Jens-U. Mozdzen
>                     USt-IdNr. DE 814 013 983
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160804/c2e983a5/attachment.html>