Public bug reported: Version: Mitaka
I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1610166 Title: Cannot list group members with policy.v3cloudsample.json Status in OpenStack Identity (keystone): New Bug description: Version: Mitaka I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)" The reproduce steps are: As cloud admin: - openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512" - TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512 - openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president - openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin As taiwan-president: - openstack group create --domain $TAIWAN_DOMAIN_ID indigenous - openstack user create --domain $TAIWAN_DOMAIN_ID margaret - openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret - openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID The rule for identity:list_users_in_group is rule:cloud_admin or rule:admin_and_matching_target_group_domain_id. I can successfully list group members if I changed it to rule:admin_required. I can reproduce this issue in devstack. [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1610166/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp