[keystone] cannot use 'openstack trust list' without admin role
Francois Scheurer
francois.scheurer at everyware.ch
Fri Sep 6 15:59:29 UTC 2019
Dear Keystone Experts,
I have an issue with the openstack client in stage (using Rocky), using a user 'fsc' without 'admin' role and with password auth.
'openstack trust create/show' works.
'openstack trust list' is denied.
But keystone policy.json says:
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:get_trust": "",
So "openstack list trusts" is always allowed.
In keystone log (I replaced the uid's by names in the ouput below) I see that 'identity:list_trusts()' was actually granted
but just after that a_*admin_required()*_ is getting checked and fails... I wonder why...
There is also a flag*is_admin_project=True* in the rbac creds for some reason...
Any clue? Many thanks in advance!
Cheers
Francois
#openstack --os-cloud stage-fsc trust create --project fscproject --role creator fsc fsc
#=> fail because of the names and policy rules, but using uid's it works
openstack --os-cloud stage-fsc trust create --project aeac4b07d8b144178c43c65f29fa9dac --role 085180eeaf354426b01908cca8e82792 3e9b1a4fe95048a3b98fb5abebd44f6c 3e9b1a4fe95048a3b98fb5abebd44f6c
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| deleted_at | None |
| expires_at | None |
| id | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation | False |
| project_id | fscproject |
| redelegation_count | 0 |
| remaining_uses | None |
| roles | creator |
| trustee_user_id | fsc |
| trustor_user_id | fsc |
+--------------------+----------------------------------+
openstack --os-cloud stage-fsc trust show e74bcdf125e049c69c2e0ab1b182df5b
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| deleted_at | None |
| expires_at | None |
| id | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation | False |
| project_id | fscproject |
| redelegation_count | 0 |
| remaining_uses | None |
| roles | creator |
| trustee_user_id | fsc |
| trustor_user_id | fsc |
+--------------------+----------------------------------+
#this fails:
openstack --os-cloud stage-fsc trust list
*You are not authorized to perform the requested action: admin_required.
(HTTP 403)*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190906/27e61415/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5230 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190906/27e61415/attachment-0001.bin>
More information about the openstack-discuss
mailing list