[Yahoo-eng-team] [Bug 1328052] [NEW] Using the v3cloudsample policy file, project admins can't administer users

2014-06-09 Thread Udi Kalifon
Public bug reported: Project admins should be allowed to create, list, edit and delete users in their domains. Here is the rule from the v3cloudsample policy file: "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", "admin_and_matchi

[Yahoo-eng-team] [Bug 1324023] [NEW] Can't create trusts on projects, and can't consume trusts on domains

2014-05-28 Thread Udi Kalifon
Public bug reported: When trying to create a trust on a project, I always get a "forbidden" error. When creating a trust on a domain, the trust is created successfully but then I get this error when trying to use it: "Expecting to find id or name in project. The server could not comply with the r

[Yahoo-eng-team] [Bug 1315049] [NEW] 'Provider' object has no attribute 'revoke_api'

2014-05-01 Thread Udi Kalifon
Public bug reported: In token/provider.py, the following triggers an exception if revoke_api is not loaded if self.revoke_api is not None: The fix is to set self.revoke_api to None in the init: def __init__(self): super(Manager, self).__init__(self.get_toke

[Yahoo-eng-team] [Bug 1313505] [NEW] Typo in API doc: "provers" should be "provider"

2014-04-27 Thread Udi Kalifon
Public bug reported: In federation API doc: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md Make a search for the string "an identity provers". It probably was meant to be "an identity provider"... ** Affects: keys

[Yahoo-eng-team] [Bug 1298478] [NEW] Can't add roles to non-existing users

2014-03-27 Thread Udi Kalifon
Public bug reported: The following blueprint is said to be implemented but it isn't: https://blueprints.launchpad.net/keystone/+spec/no-check-id If you try to add roles to a user that doesn't exist you get a 404: { "error": { "code": 404, "message": "Could not find user, 12345

[Yahoo-eng-team] [Bug 1297890] [NEW] API documentation lists wrong URLs for group roles

2014-03-26 Thread Udi Kalifon
Public bug reported: Look in http://api.openstack.org/api-ref-identity.html It lists the APIs to manage group roles on projects: GET v3/projects/​{project_id}​/groups/​{group_id}​/roles Lists roles for a project group. PUT v3/projects/​{project_id}​/​{role_id}​ Grants a role to a projec

[Yahoo-eng-team] [Bug 1297280] [NEW] Unhelpful error message when keystone uses self-signed SSL certificates

2014-03-25 Thread Udi Kalifon
Public bug reported: When keystone is configured to use SSL and its certificates are not signed by a trusted authority, all the keystone client commands return: Authorization Failed: SSL exception connecting to https://127.0.0.1:35357/v2.0/tokens It would be better to instruct the user to pass t

[Yahoo-eng-team] [Bug 1275823] [NEW] RFE: default keystone.conf file should point to correct paths for cert files

2014-02-03 Thread Udi Kalifon
Public bug reported: To enable ssl in keystone, you have to uncomment the following lines in kestone.conf: #enable = True #certfile = /etc/keystone/pki/certs/ssl_cert.pem #keyfile = /etc/keystone/pki/private/ssl_key.pem #ca_certs = /etc/keystone/pki/certs/cacert.pem #ca_key = /etc/keystone/pki/pr