[Yahoo-eng-team] [Bug 1544721] [NEW] Policy for listing service providers requires admin

Kristi Nikolla Thu, 11 Feb 2016 12:56:59 -0800

Public bug reported:

When creating a v3 keystoneclient using non admin credentials I'm able
to get the list of service providers from the service catalog, but the
policy doesn't allow to list or get service providers by default.


>>> ksclient2.service_catalog.catalog[u'service_providers']
[{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP', 
u'auth_url': 
u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth',
 u'id': u'keystone-sp'}]

>>> ksclient2.federation.service_providers.list()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File 
"/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py",
 line 76, in list
    return super(ServiceProviderManager, self).list(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
75, in func
    return f(*args, **new_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
388, in list
    self.collection_key)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 
170, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 
206, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", line 
95, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 
337, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", line 
405, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the 
requested action: identity:list_service_providers (Disable debug mode to 
suppress these details.) (HTTP 403) (Request-ID: 
req-485c64e6-5de1-4470-9439-e05275a350fa)

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1544721

Title:
  Policy for listing service providers requires admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  When creating a v3 keystoneclient using non admin credentials I'm able
  to get the list of service providers from the service catalog, but the
  policy doesn't allow to list or get service providers by default.

  >>> ksclient2.service_catalog.catalog[u'service_providers']
  [{u'sp_url': u'http://xxx.xxx.xxx.xxx:5000/Shibboleth.sso/SAML2/ECP', 
u'auth_url': 
u'http://xxx.xxx.xxx.xxx:35357/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth',
 u'id': u'keystone-sp'}]

  >>> ksclient2.federation.service_providers.list()
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File 
"/usr/local/lib/python2.7/dist-packages/keystoneclient/v3/contrib/federation/service_providers.py",
 line 76, in list
      return super(ServiceProviderManager, self).list(**kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
75, in func
      return f(*args, **new_kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
388, in list
      self.collection_key)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/base.py", line 
124, in _list
      resp, body = self.client.get(url, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", 
line 170, in get
      return self.request(url, 'GET', **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", 
line 206, in request
      resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/adapter.py", 
line 95, in request
      return self.session.request(url, method, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/utils.py", line 
337, in inner
      return func(*args, **kwargs)
    File "/usr/local/lib/python2.7/dist-packages/keystoneclient/session.py", 
line 405, in request
      raise exceptions.from_response(resp, method, url)
  keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform 
the requested action: identity:list_service_providers (Disable debug mode to 
suppress these details.) (HTTP 403) (Request-ID: 
req-485c64e6-5de1-4470-9439-e05275a350fa)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1544721/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1544721] [NEW] Policy for listing service providers requires admin

Reply via email to