Re: [Openstack] [Keystone] List group members with policy.v3cloudsample.json

Thu, 04 Aug 2016 00:32:22 -0700 

Hi,
I had a similar issue recently [1], I had to adjust my policy file because for some reason "domain_id:default" was not applied, instead I use "user_domain_id:default" which works fine now. 

---cut here---
control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json

    "cloud_admin": "rule:admin_required and (domain_id:default or  
user_domain_id:default)",

---cut here---


And I added it as an OR statement as a workaround to keep the original  
statement. Hope this helps!


Regards,
Eugen

[1] http://lists.openstack.org/pipermail/openstack/2016-June/016454.html


Zitat von 林自均 <johnl...@gmail.com>:


Hi all,

My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
policy.v3cloudsample.json
<https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json>.
Most functions works as expected.

However, when I wanted to list members in a group as a domain admin, an
error occurred: “You are not authorized to perform the requested action:
identity:list_users_in_group (HTTP 403)”.

The reproduce steps are:

   - As cloud admin:
      - openstack domain create taiwan
      - openstack user create --domain taiwan --password 5ecret
      taiwan-president
      - openstack role add --user taiwan-president --domain taiwan admin
   - As taiwan-president:
      - openstack group create --domain taiwan indigenous
      - openstack user create --domain taiwan margaret
      - openstack group add user --group-domain taiwan indigenous margaret
      - openstack user list --group indigenous --domain taiwan

The last command will generate the 403 error.

The rule for identity:list_users_in_group is rule:cloud_admin or
rule:admin_and_matching_target_group_domain_id. I can successfully list
group members if I changed it to rule:admin_required.

Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
the help.

John
​




--
Eugen Block                             voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg                         e-mail  : ebl...@nde.ag

        Vorsitzende des Aufsichtsrates: Angelika Mozdzen
          Sitz und Registergericht: Hamburg, HRB 90934
                  Vorstand: Jens-U. Mozdzen
                   USt-IdNr. DE 814 013 983


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to