Open Stack

Hi all,

I found this issue was fixed by
https://bugs.launchpad.net/keystone/+bug/1433402. Thanks.

John

Eugen Block <eblock at nde.ag> 於 2016年8月4日 週四 下午9:20寫道：

> I just tried to reproduce that with a test domain, but I didn't get
> any errors. Did you make sure that your environment script uses the
> right credentials for (user)domain scope? I had my share with them a
> couple of times...
>
>
> Zitat von 林自均 <johnlinp at gmail.com>:
>
> > Hi Eugen,
> >
> > I have no problem with the cloud admin, so I guess your workaround
> doesn't
> > work for me. What disturbing me is the unexpected behavior of the domain
> > admin.
> >
> > John
> >
> > Eugen Block <eblock at nde.ag> 於 2016年8月4日 週四 下午3:34寫道：
> >
> >> Hi,
> >>
> >> I had a similar issue recently [1], I had to adjust my policy file
> >> because for some reason "domain_id:default" was not applied, instead I
> >> use "user_domain_id:default" which works fine now.
> >>
> >> ---cut here---
> >> control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json
> >>      "cloud_admin": "rule:admin_required and (domain_id:default or
> >> user_domain_id:default)",
> >> ---cut here---
> >>
> >> And I added it as an OR statement as a workaround to keep the original
> >> statement. Hope this helps!
> >>
> >> Regards,
> >> Eugen
> >>
> >> [1]
> http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
> >>
> >>
> >> Zitat von 林自均 <johnlinp at gmail.com>:
> >>
> >> > Hi all,
> >> >
> >> > My OpenStack version is Mitaka. I updated my
> /etc/keystone/policy.json to
> >> > policy.v3cloudsample.json
> >> > <
> >>
> https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
> >> >.
> >> > Most functions works as expected.
> >> >
> >> > However, when I wanted to list members in a group as a domain admin,
> an
> >> > error occurred: “You are not authorized to perform the requested
> action:
> >> > identity:list_users_in_group (HTTP 403)”.
> >> >
> >> > The reproduce steps are:
> >> >
> >> >    - As cloud admin:
> >> >       - openstack domain create taiwan
> >> >       - openstack user create --domain taiwan --password 5ecret
> >> >       taiwan-president
> >> >       - openstack role add --user taiwan-president --domain taiwan
> admin
> >> >    - As taiwan-president:
> >> >       - openstack group create --domain taiwan indigenous
> >> >       - openstack user create --domain taiwan margaret
> >> >       - openstack group add user --group-domain taiwan indigenous
> >> margaret
> >> >       - openstack user list --group indigenous --domain taiwan
> >> >
> >> > The last command will generate the 403 error.
> >> >
> >> > The rule for identity:list_users_in_group is rule:cloud_admin or
> >> > rule:admin_and_matching_target_group_domain_id. I can successfully
> list
> >> > group members if I changed it to rule:admin_required.
> >> >
> >> > Am I doing anything wrong? Or did I run into some kind of bug? Thanks
> for
> >> > the help.
> >> >
> >> > John
> >> > ​
> >>
> >>
> >>
> >> --
> >> Eugen Block                             voice   : +49-40-559 51 75
> >> NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
> >> Postfach 61 03 15
> >> D-22423 Hamburg                         e-mail  : eblock at nde.ag
> >>
> >>          Vorsitzende des Aufsichtsrates: Angelika Mozdzen
> >>            Sitz und Registergericht: Hamburg, HRB 90934
> >>                    Vorstand: Jens-U. Mozdzen
> >>                     USt-IdNr. DE 814 013 983
> >>
> >>
> >> _______________________________________________
> >> Mailing list:
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >> Post to     : openstack at lists.openstack.org
> >> Unsubscribe :
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> >>
>
>
>
> --
> Eugen Block                             voice   : +49-40-559 51 75
> NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
> Postfach 61 03 15
> D-22423 Hamburg                         e-mail  : eblock at nde.ag
>
>          Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>            Sitz und Registergericht: Hamburg, HRB 90934
>                    Vorstand: Jens-U. Mozdzen
>                     USt-IdNr. DE 814 013 983
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160808/a5dbd160/attachment.html>