[Yahoo-eng-team] [Bug 2105988] [NEW] domain manager role does not work (Dalmatian)

Fri, 04 Apr 2025 11:14:50 -0700 

Public bug reported:

As the documentation of latest Openstack dalmatian(2024.2 as of writing)
in reference 1. and 2. suggests, manager role does not function as
intended.

Steps to reproduce:

Debian Bookworm 12 installation on a VM or bare metal.
Reproduced with both:
- Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
- Out-of-box installation with Devstack in Debian bookworm installed VM 
(running standard devstack script).

Below I am illustrating problem with devstack installation. I have not
customised service configurations.

Expected result:
When user is configured as a manager in a domain, should be able to:

- List, assign roles within the domain and revoke them
- Create project, delete project within a domain
- List users, create users, delete users
- List groups, create groups, delete groups

As admin, listing role assignments:
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| Role        | User                    | Group             | Project           
         | Domain  | System | Inherited |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
| service     | glance@Default          |                   | service@Default   
         |         |        | False     |
| anotherrole | alt_demo@Default        |                   | alt_demo@Default  
         |         |        | False     |
| admin       | alt_demo@Default        |                   | alt_demo@Default  
         |         |        | False     |
| anotherrole | demo@Default            |                   | demo@Default      
         |         |        | False     |
| member      | demo@Default            |                   | demo@Default      
         |         |        | False     |
| member      | demo@Default            |                   | 
invisible_to_admin@Default |         |        | False     |
| member      | alt_demo_member@Default |                   | alt_demo@Default  
         |         |        | False     |
| service     | gnocchi@Default         |                   | service@Default   
         |         |        | False     |
| admin       | admin@Default           |                   | demo@Default      
         |         |        | False     |
| member      | admin@Default           |                   | 
demo_child@Default         |         |        | False     |
| admin       | admin@Default           |                   | admin@Default     
         |         |        | False     |
| member      | manauser@Domainb        |                   | 
managerproj@Domainb        |         |        | False     |
| reader      | demo_reader@Default     |                   | demo@Default      
         |         |        | False     |
| admin       | nova@Default            |                   | service@Default   
         |         |        | False     |
| service     | nova@Default            |                   | service@Default   
         |         |        | False     |
| admin       | ceilometer@Default      |                   | service@Default   
         |         |        | False     |
| service     | ceilometer@Default      |                   | service@Default   
         |         |        | False     |
| admin       | placement@Default       |                   | service@Default   
         |         |        | False     |
| service     | placement@Default       |                   | service@Default   
         |         |        | False     |
| service     | neutron@Default         |                   | service@Default   
         |         |        | False     |
| service     | cinder@Default          |                   | service@Default   
         |         |        | False     |
| reader      | alt_demo_reader@Default |                   | alt_demo@Default  
         |         |        | False     |
| admin       | aodh@Default            |                   | service@Default   
         |         |        | False     |
| service     | aodh@Default            |                   | service@Default   
         |         |        | False     |
| admin       |                         | admins@Default    | admin@Default     
         |         |        | False     |
| anotherrole |                         | nonadmins@Default | alt_demo@Default  
         |         |        | False     |
| member      |                         | nonadmins@Default | alt_demo@Default  
         |         |        | False     |
| anotherrole |                         | nonadmins@Default | demo@Default      
         |         |        | False     |
| member      |                         | nonadmins@Default | demo@Default      
         |         |        | False     |
| admin       | admin@Default           |                   |                   
         | Default |        | False     |
| manager     | manauser@Domainb        |                   |                   
         | Domainb |        | False     |
| reader      | glance@Default          |                   |                   
         |         | all    | False     |
| admin       | admin@Default           |                   |                   
         |         | all    | False     |
| reader      | system_reader@Default   |                   |                   
         |         | all    | False     |
| member      | system_member@Default   |                   |                   
         |         | all    | False     |
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+

with manauser openrc sourced, running following commands:

openstack project list

+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| 8c648ab677c74acbba7688ba43266e65 | managerproj |
+----------------------------------+-------------+
stack@localhost:~/devstack$ openstack user list --domain Domainb
ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack user list --domain Domainb --project 
managerproj
ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack user create --domain Domainb test
ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

stack@localhost:~/devstack$ openstack project create --domain Domainb test
You are not authorized to perform the requested action: 
identity:create_project. (HTTP 403) (Request-ID: 
req-00ade0f4-b035-42f1-b628-78e09fee679d)

stack@localhost:~/devstack$ openstack group create --domain Domainb test
You are not authorized to perform the requested action: identity:create_group. 
(HTTP 403) (Request-ID: req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)

stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, 
You are not authorized to perform the requested action: 
identity:list_role_assignments.

[1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
[2.] 
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2105988

Title:
  domain manager role does not work (Dalmatian)

Status in OpenStack Identity (keystone):
  New

Bug description:
  As the documentation of latest Openstack dalmatian(2024.2 as of
  writing) in reference 1. and 2. suggests, manager role does not
  function as intended.

  Steps to reproduce:

  Debian Bookworm 12 installation on a VM or bare metal.
  Reproduced with both:
  - Debian osbpo repository with Dalmatian 2024.2 packages installed Openstack
  - Out-of-box installation with Devstack in Debian bookworm installed VM 
(running standard devstack script).

  Below I am illustrating problem with devstack installation. I have not
  customised service configurations.

  Expected result:
  When user is configured as a manager in a domain, should be able to:

  - List, assign roles within the domain and revoke them
  - Create project, delete project within a domain
  - List users, create users, delete users
  - List groups, create groups, delete groups

  As admin, listing role assignments:
  
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
  | Role        | User                    | Group             | Project         
           | Domain  | System | Inherited |
  
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+
  | service     | glance@Default          |                   | service@Default 
           |         |        | False     |
  | anotherrole | alt_demo@Default        |                   | 
alt_demo@Default           |         |        | False     |
  | admin       | alt_demo@Default        |                   | 
alt_demo@Default           |         |        | False     |
  | anotherrole | demo@Default            |                   | demo@Default    
           |         |        | False     |
  | member      | demo@Default            |                   | demo@Default    
           |         |        | False     |
  | member      | demo@Default            |                   | 
invisible_to_admin@Default |         |        | False     |
  | member      | alt_demo_member@Default |                   | 
alt_demo@Default           |         |        | False     |
  | service     | gnocchi@Default         |                   | service@Default 
           |         |        | False     |
  | admin       | admin@Default           |                   | demo@Default    
           |         |        | False     |
  | member      | admin@Default           |                   | 
demo_child@Default         |         |        | False     |
  | admin       | admin@Default           |                   | admin@Default   
           |         |        | False     |
  | member      | manauser@Domainb        |                   | 
managerproj@Domainb        |         |        | False     |
  | reader      | demo_reader@Default     |                   | demo@Default    
           |         |        | False     |
  | admin       | nova@Default            |                   | service@Default 
           |         |        | False     |
  | service     | nova@Default            |                   | service@Default 
           |         |        | False     |
  | admin       | ceilometer@Default      |                   | service@Default 
           |         |        | False     |
  | service     | ceilometer@Default      |                   | service@Default 
           |         |        | False     |
  | admin       | placement@Default       |                   | service@Default 
           |         |        | False     |
  | service     | placement@Default       |                   | service@Default 
           |         |        | False     |
  | service     | neutron@Default         |                   | service@Default 
           |         |        | False     |
  | service     | cinder@Default          |                   | service@Default 
           |         |        | False     |
  | reader      | alt_demo_reader@Default |                   | 
alt_demo@Default           |         |        | False     |
  | admin       | aodh@Default            |                   | service@Default 
           |         |        | False     |
  | service     | aodh@Default            |                   | service@Default 
           |         |        | False     |
  | admin       |                         | admins@Default    | admin@Default   
           |         |        | False     |
  | anotherrole |                         | nonadmins@Default | 
alt_demo@Default           |         |        | False     |
  | member      |                         | nonadmins@Default | 
alt_demo@Default           |         |        | False     |
  | anotherrole |                         | nonadmins@Default | demo@Default    
           |         |        | False     |
  | member      |                         | nonadmins@Default | demo@Default    
           |         |        | False     |
  | admin       | admin@Default           |                   |                 
           | Default |        | False     |
  | manager     | manauser@Domainb        |                   |                 
           | Domainb |        | False     |
  | reader      | glance@Default          |                   |                 
           |         | all    | False     |
  | admin       | admin@Default           |                   |                 
           |         | all    | False     |
  | reader      | system_reader@Default   |                   |                 
           |         | all    | False     |
  | member      | system_member@Default   |                   |                 
           |         | all    | False     |
  
+-------------+-------------------------+-------------------+----------------------------+---------+--------+-----------+

  with manauser openrc sourced, running following commands:

  openstack project list

  +----------------------------------+-------------+
  | ID                               | Name        |
  +----------------------------------+-------------+
  | 8c648ab677c74acbba7688ba43266e65 | managerproj |
  +----------------------------------+-------------+
  stack@localhost:~/devstack$ openstack user list --domain Domainb
  ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack user list --domain Domainb --project 
managerproj
  ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack user create --domain Domainb test
  ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/domains?name=Domainb, You are not authorized 
to perform the requested action: identity:list_domains.

  stack@localhost:~/devstack$ openstack project create --domain Domainb test
  You are not authorized to perform the requested action: 
identity:create_project. (HTTP 403) (Request-ID: 
req-00ade0f4-b035-42f1-b628-78e09fee679d)

  stack@localhost:~/devstack$ openstack group create --domain Domainb test
  You are not authorized to perform the requested action: 
identity:create_group. (HTTP 403) (Request-ID: 
req-fb8dc2aa-a279-4b84-a4ca-86cec2b205fd)

  stack@localhost:~/devstack$ openstack role assignment list --domain Domainb
  ForbiddenException: 403: Client Error for url: 
http://192.168.122.141/identity/v3/role_assignments?scope.domain.id=Domainb, 
You are not authorized to perform the requested action: 
identity:list_role_assignments.

  [1.] https://docs.openstack.org/keystone/latest/user/domain-manager-usage.html
  [2.] 
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2105988/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to