Public bug reported: Cloud information:
Ubuntu 18.04 OpenStack Queens (bionic distro) Keystone versions: ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone ii keystone 2:13.0.2-0ubuntu1 ii python-keystone 2:13.0.2-0ubuntu1 ii python-keystoneauth1 3.4.0-0ubuntu1 ii python-keystoneclient 1:3.15.0-0ubuntu1 ii python-keystonemiddleware 4.21.0-0ubuntu1 Problem description: The admin of a domain can't list the users in that domain through the CLI with openstack user list or openstack user list --domain <domain id>. However, listing the users in Horizon works (Login as domain admin in the domain > Identity > Users). The CLI fails with: $ openstack user list You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203) $ openstack user list --domain <domain> You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb) $ openstack user list --domain <domain id> You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8) The RC file sourced to do this test is the one generated by downloading the OpenStack RC File V3 in Horizon when logged in as the domain admin: export OS_AUTH_URL=http://10.10.51.20:5000/v3 export OS_PROJECT_ID=<project id> export OS_PROJECT_NAME="<project name>" export OS_USER_DOMAIN_NAME="<domain name>" if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi export OS_PROJECT_DOMAIN_ID="<domain id>" if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi unset OS_TENANT_ID unset OS_TENANT_NAME export OS_USERNAME="<domain admin user>" export OS_PASSWORD="<password>" export OS_REGION_NAME="RegionOne" if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 Extra info: $ openstack role assignment list --names +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+ [...] | Admin | | <admin group>@<domain> | <project>@<domain> | | | False | | Member | | <admin group>@<domain> | <project>@<domain> | | | False | | Admin | | <admin group>@<domain> | | <domain> | | False | When doing "openstack user list" or "openstack user list --domain <domain id>", Keystone logs show: (py.warnings): 2019-10-18 04:10:56,037 WARNING /usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy identity:list_users failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required warnings.warn(msg) (keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not authorized to perform the requested action: identity:list_users. /etc/keystone/policy.json has: "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", As mentioned above, the workaround is to use the Horizon UI to list the users in the domain. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1848625 Title: Domain admin can't list users in domain via CLI Status in OpenStack Identity (keystone): New Bug description: Cloud information: Ubuntu 18.04 OpenStack Queens (bionic distro) Keystone versions: ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone ii keystone 2:13.0.2-0ubuntu1 ii python-keystone 2:13.0.2-0ubuntu1 ii python-keystoneauth1 3.4.0-0ubuntu1 ii python-keystoneclient 1:3.15.0-0ubuntu1 ii python-keystonemiddleware 4.21.0-0ubuntu1 Problem description: The admin of a domain can't list the users in that domain through the CLI with openstack user list or openstack user list --domain <domain id>. However, listing the users in Horizon works (Login as domain admin in the domain > Identity > Users). The CLI fails with: $ openstack user list You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203) $ openstack user list --domain <domain> You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb) $ openstack user list --domain <domain id> You are not authorized to perform the requested action: identity:list_users. (HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8) The RC file sourced to do this test is the one generated by downloading the OpenStack RC File V3 in Horizon when logged in as the domain admin: export OS_AUTH_URL=http://10.10.51.20:5000/v3 export OS_PROJECT_ID=<project id> export OS_PROJECT_NAME="<project name>" export OS_USER_DOMAIN_NAME="<domain name>" if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi export OS_PROJECT_DOMAIN_ID="<domain id>" if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi unset OS_TENANT_ID unset OS_TENANT_NAME export OS_USERNAME="<domain admin user>" export OS_PASSWORD="<password>" export OS_REGION_NAME="RegionOne" if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi export OS_INTERFACE=public export OS_IDENTITY_API_VERSION=3 Extra info: $ openstack role assignment list --names +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+ [...] | Admin | | <admin group>@<domain> | <project>@<domain> | | | False | | Member | | <admin group>@<domain> | <project>@<domain> | | | False | | Admin | | <admin group>@<domain> | | <domain> | | False | When doing "openstack user list" or "openstack user list --domain <domain id>", Keystone logs show: (py.warnings): 2019-10-18 04:10:56,037 WARNING /usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy identity:list_users failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required warnings.warn(msg) (keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not authorized to perform the requested action: identity:list_users. /etc/keystone/policy.json has: "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", As mentioned above, the workaround is to use the Horizon UI to list the users in the domain. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1848625/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
