Hi all, I found this issue was fixed by https://bugs.launchpad.net/keystone/+bug/1433402. Thanks.
John Eugen Block <ebl...@nde.ag> 於 2016年8月4日 週四 下午9:20寫道: > I just tried to reproduce that with a test domain, but I didn't get > any errors. Did you make sure that your environment script uses the > right credentials for (user)domain scope? I had my share with them a > couple of times... > > > Zitat von 林自均 <johnl...@gmail.com>: > > > Hi Eugen, > > > > I have no problem with the cloud admin, so I guess your workaround > doesn't > > work for me. What disturbing me is the unexpected behavior of the domain > > admin. > > > > John > > > > Eugen Block <ebl...@nde.ag> 於 2016年8月4日 週四 下午3:34寫道: > > > >> Hi, > >> > >> I had a similar issue recently [1], I had to adjust my policy file > >> because for some reason "domain_id:default" was not applied, instead I > >> use "user_domain_id:default" which works fine now. > >> > >> ---cut here--- > >> control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json > >> "cloud_admin": "rule:admin_required and (domain_id:default or > >> user_domain_id:default)", > >> ---cut here--- > >> > >> And I added it as an OR statement as a workaround to keep the original > >> statement. Hope this helps! > >> > >> Regards, > >> Eugen > >> > >> [1] > http://lists.openstack.org/pipermail/openstack/2016-June/016454.html > >> > >> > >> Zitat von 林自均 <johnl...@gmail.com>: > >> > >> > Hi all, > >> > > >> > My OpenStack version is Mitaka. I updated my > /etc/keystone/policy.json to > >> > policy.v3cloudsample.json > >> > < > >> > https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json > >> >. > >> > Most functions works as expected. > >> > > >> > However, when I wanted to list members in a group as a domain admin, > an > >> > error occurred: “You are not authorized to perform the requested > action: > >> > identity:list_users_in_group (HTTP 403)”. > >> > > >> > The reproduce steps are: > >> > > >> > - As cloud admin: > >> > - openstack domain create taiwan > >> > - openstack user create --domain taiwan --password 5ecret > >> > taiwan-president > >> > - openstack role add --user taiwan-president --domain taiwan > admin > >> > - As taiwan-president: > >> > - openstack group create --domain taiwan indigenous > >> > - openstack user create --domain taiwan margaret > >> > - openstack group add user --group-domain taiwan indigenous > >> margaret > >> > - openstack user list --group indigenous --domain taiwan > >> > > >> > The last command will generate the 403 error. > >> > > >> > The rule for identity:list_users_in_group is rule:cloud_admin or > >> > rule:admin_and_matching_target_group_domain_id. I can successfully > list > >> > group members if I changed it to rule:admin_required. > >> > > >> > Am I doing anything wrong? Or did I run into some kind of bug? Thanks > for > >> > the help. > >> > > >> > John > >> > > >> > >> > >> > >> -- > >> Eugen Block voice : +49-40-559 51 75 > >> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 > >> Postfach 61 03 15 > >> D-22423 Hamburg e-mail : ebl...@nde.ag > >> > >> Vorsitzende des Aufsichtsrates: Angelika Mozdzen > >> Sitz und Registergericht: Hamburg, HRB 90934 > >> Vorstand: Jens-U. Mozdzen > >> USt-IdNr. DE 814 013 983 > >> > >> > >> _______________________________________________ > >> Mailing list: > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >> Post to : openstack@lists.openstack.org > >> Unsubscribe : > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > >> > > > > -- > Eugen Block voice : +49-40-559 51 75 > NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 > Postfach 61 03 15 > D-22423 Hamburg e-mail : ebl...@nde.ag > > Vorsitzende des Aufsichtsrates: Angelika Mozdzen > Sitz und Registergericht: Hamburg, HRB 90934 > Vorstand: Jens-U. Mozdzen > USt-IdNr. DE 814 013 983 > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
