I just tried to reproduce that with a test domain, but I didn't get
any errors. Did you make sure that your environment script uses the
right credentials for (user)domain scope? I had my share with them a
couple of times...
Zitat von 林自均 <johnl...@gmail.com>:
Hi Eugen,
I have no problem with the cloud admin, so I guess your workaround doesn't
work for me. What disturbing me is the unexpected behavior of the domain
admin.
John
Eugen Block <ebl...@nde.ag> 於 2016年8月4日 週四 下午3:34寫道:
Hi,
I had a similar issue recently [1], I had to adjust my policy file
because for some reason "domain_id:default" was not applied, instead I
use "user_domain_id:default" which works fine now.
---cut here---
control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json
"cloud_admin": "rule:admin_required and (domain_id:default or
user_domain_id:default)",
---cut here---
And I added it as an OR statement as a workaround to keep the original
statement. Hope this helps!
Regards,
Eugen
[1] http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
Zitat von 林自均 <johnl...@gmail.com>:
> Hi all,
>
> My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
> policy.v3cloudsample.json
> <
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
>.
> Most functions works as expected.
>
> However, when I wanted to list members in a group as a domain admin, an
> error occurred: “You are not authorized to perform the requested action:
> identity:list_users_in_group (HTTP 403)”.
>
> The reproduce steps are:
>
> - As cloud admin:
> - openstack domain create taiwan
> - openstack user create --domain taiwan --password 5ecret
> taiwan-president
> - openstack role add --user taiwan-president --domain taiwan admin
> - As taiwan-president:
> - openstack group create --domain taiwan indigenous
> - openstack user create --domain taiwan margaret
> - openstack group add user --group-domain taiwan indigenous
margaret
> - openstack user list --group indigenous --domain taiwan
>
> The last command will generate the 403 error.
>
> The rule for identity:list_users_in_group is rule:cloud_admin or
> rule:admin_and_matching_target_group_domain_id. I can successfully list
> group members if I changed it to rule:admin_required.
>
> Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
> the help.
>
> John
>
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : ebl...@nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : ebl...@nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
