[Openstack] [Keystone] List group members with policy.v3cloudsample.json
Eugen Block
eblock at nde.ag
Thu Aug 4 13:19:57 UTC 2016
I just tried to reproduce that with a test domain, but I didn't get
any errors. Did you make sure that your environment script uses the
right credentials for (user)domain scope? I had my share with them a
couple of times...
Zitat von 林自均 <johnlinp at gmail.com>:
> Hi Eugen,
>
> I have no problem with the cloud admin, so I guess your workaround doesn't
> work for me. What disturbing me is the unexpected behavior of the domain
> admin.
>
> John
>
> Eugen Block <eblock at nde.ag> 於 2016年8月4日 週四 下午3:34寫道:
>
>> Hi,
>>
>> I had a similar issue recently [1], I had to adjust my policy file
>> because for some reason "domain_id:default" was not applied, instead I
>> use "user_domain_id:default" which works fine now.
>>
>> ---cut here---
>> control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json
>> "cloud_admin": "rule:admin_required and (domain_id:default or
>> user_domain_id:default)",
>> ---cut here---
>>
>> And I added it as an OR statement as a workaround to keep the original
>> statement. Hope this helps!
>>
>> Regards,
>> Eugen
>>
>> [1] http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
>>
>>
>> Zitat von 林自均 <johnlinp at gmail.com>:
>>
>> > Hi all,
>> >
>> > My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
>> > policy.v3cloudsample.json
>> > <
>> https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
>> >.
>> > Most functions works as expected.
>> >
>> > However, when I wanted to list members in a group as a domain admin, an
>> > error occurred: “You are not authorized to perform the requested action:
>> > identity:list_users_in_group (HTTP 403)”.
>> >
>> > The reproduce steps are:
>> >
>> > - As cloud admin:
>> > - openstack domain create taiwan
>> > - openstack user create --domain taiwan --password 5ecret
>> > taiwan-president
>> > - openstack role add --user taiwan-president --domain taiwan admin
>> > - As taiwan-president:
>> > - openstack group create --domain taiwan indigenous
>> > - openstack user create --domain taiwan margaret
>> > - openstack group add user --group-domain taiwan indigenous
>> margaret
>> > - openstack user list --group indigenous --domain taiwan
>> >
>> > The last command will generate the 403 error.
>> >
>> > The rule for identity:list_users_in_group is rule:cloud_admin or
>> > rule:admin_and_matching_target_group_domain_id. I can successfully list
>> > group members if I changed it to rule:admin_required.
>> >
>> > Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
>> > the help.
>> >
>> > John
>> >
>>
>>
>>
>> --
>> Eugen Block voice : +49-40-559 51 75
>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
>> Postfach 61 03 15
>> D-22423 Hamburg e-mail : eblock at nde.ag
>>
>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>> Sitz und Registergericht: Hamburg, HRB 90934
>> Vorstand: Jens-U. Mozdzen
>> USt-IdNr. DE 814 013 983
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock at nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
More information about the Openstack
mailing list