Public bug reported:

Cloud information:

Ubuntu 18.04
OpenStack Queens (bionic distro)

Keystone versions:

ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone
ii  keystone                       2:13.0.2-0ubuntu1
ii  python-keystone                2:13.0.2-0ubuntu1
ii  python-keystoneauth1           3.4.0-0ubuntu1
ii  python-keystoneclient          1:3.15.0-0ubuntu1
ii  python-keystonemiddleware      4.21.0-0ubuntu1


Problem description:

The admin of a domain can't list the users in that domain through the
CLI with openstack user list or openstack user list --domain <domain
id>.

However, listing the users in Horizon works (Login as domain admin in
the domain > Identity > Users).

The CLI fails with:

$ openstack user list
You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203)

$ openstack user list --domain <domain> 
You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb)

$ openstack user list --domain <domain id>
You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8)

The RC file sourced to do this test is the one generated by downloading
the OpenStack RC File V3 in Horizon when logged in as the domain admin:

export OS_AUTH_URL=http://10.10.51.20:5000/v3
export OS_PROJECT_ID=<project id>
export OS_PROJECT_NAME="<project name>"
export OS_USER_DOMAIN_NAME="<domain name>"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="<domain id>"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
unset OS_TENANT_ID
unset OS_TENANT_NAME
export OS_USERNAME="<domain admin user>"
export OS_PASSWORD="<password>"
export OS_REGION_NAME="RegionOne"
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3


Extra info:

$ openstack role assignment list --names
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
| Role          | User                                         | Group          
               | Project                                 | Domain              
| System | Inherited |
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
[...]
| Admin         |                                              | <admin 
group>@<domain> | <project>@<domain> |                     |        | False     
|
| Member        |                                              | <admin 
group>@<domain> | <project>@<domain> |                     |        | False     
|
| Admin         |                                              | <admin 
group>@<domain> |                                         | <domain> |        | 
False     |


When doing "openstack user list" or "openstack user list --domain
<domain id>", Keystone logs show:

(py.warnings): 2019-10-18 04:10:56,037 WARNING 
/usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy 
identity:list_users failed scope check. The token used to make the request was 
project scoped but the policy requires ['system'] scope. This behavior may 
change in the future where using the intended scope is required
  warnings.warn(msg)

(keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not
authorized to perform the requested action: identity:list_users.


/etc/keystone/policy.json has:

    "identity:list_users": "rule:cloud_admin or 
rule:admin_and_matching_domain_id",
    "admin_and_matching_domain_id": "rule:admin_required and 
domain_id:%(domain_id)s",


As mentioned above, the workaround is to use the Horizon UI to list the
users in the domain.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1848625

Title:
  Domain admin can't list users in domain via CLI

Status in OpenStack Identity (keystone):
  New

Bug description:
  Cloud information:

  Ubuntu 18.04
  OpenStack Queens (bionic distro)

  Keystone versions:

  ubuntu@juju-2553c4-21-lxd-10:~$ dpkg -l | grep keystone
  ii  keystone                       2:13.0.2-0ubuntu1
  ii  python-keystone                2:13.0.2-0ubuntu1
  ii  python-keystoneauth1           3.4.0-0ubuntu1
  ii  python-keystoneclient          1:3.15.0-0ubuntu1
  ii  python-keystonemiddleware      4.21.0-0ubuntu1

  
  Problem description:

  The admin of a domain can't list the users in that domain through the
  CLI with openstack user list or openstack user list --domain <domain
  id>.

  However, listing the users in Horizon works (Login as domain admin in
  the domain > Identity > Users).

  The CLI fails with:

  $ openstack user list
  You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-0e04d3ee-a2c1-4b50-9cd6-b82105ab7203)

  $ openstack user list --domain <domain> 
  You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-978f5de7-2d73-4ea1-822d-74b2d801f5eb)

  $ openstack user list --domain <domain id>
  You are not authorized to perform the requested action: identity:list_users. 
(HTTP 403) (Request-ID: req-782be79f-6247-4b11-b217-8ae211ea96e8)

  The RC file sourced to do this test is the one generated by
  downloading the OpenStack RC File V3 in Horizon when logged in as the
  domain admin:

  export OS_AUTH_URL=http://10.10.51.20:5000/v3
  export OS_PROJECT_ID=<project id>
  export OS_PROJECT_NAME="<project name>"
  export OS_USER_DOMAIN_NAME="<domain name>"
  if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
  export OS_PROJECT_DOMAIN_ID="<domain id>"
  if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
  unset OS_TENANT_ID
  unset OS_TENANT_NAME
  export OS_USERNAME="<domain admin user>"
  export OS_PASSWORD="<password>"
  export OS_REGION_NAME="RegionOne"
  if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
  export OS_INTERFACE=public
  export OS_IDENTITY_API_VERSION=3

  
  Extra info:

  $ openstack role assignment list --names
  
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
  | Role          | User                                         | Group        
                 | Project                                 | Domain             
 | System | Inherited |
  
+---------------+----------------------------------------------+-------------------------------+-----------------------------------------+---------------------+--------+-----------+
  [...]
  | Admin         |                                              | <admin 
group>@<domain> | <project>@<domain> |                     |        | False     
|
  | Member        |                                              | <admin 
group>@<domain> | <project>@<domain> |                     |        | False     
|
  | Admin         |                                              | <admin 
group>@<domain> |                                         | <domain> |        | 
False     |


  
  When doing "openstack user list" or "openstack user list --domain <domain 
id>", Keystone logs show:

  (py.warnings): 2019-10-18 04:10:56,037 WARNING 
/usr/lib/python2.7/dist-packages/oslo_policy/policy.py:865: UserWarning: Policy 
identity:list_users failed scope check. The token used to make the request was 
project scoped but the policy requires ['system'] scope. This behavior may 
change in the future where using the intended scope is required
    warnings.warn(msg)

  (keystone.common.wsgi): 2019-10-18 04:10:56,038 WARNING You are not
  authorized to perform the requested action: identity:list_users.

  
  /etc/keystone/policy.json has:

      "identity:list_users": "rule:cloud_admin or 
rule:admin_and_matching_domain_id",
      "admin_and_matching_domain_id": "rule:admin_required and 
domain_id:%(domain_id)s",


  As mentioned above, the workaround is to use the Horizon UI to list
  the users in the domain.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1848625/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to