OpenStack Identity (keystone)

Unable to allow users to see role assignments on all their projects

Bug #1885647 reported by Sam Morrison on 2020-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

I'm trying to allow users to see what roles they have on all of their projects.

It would seem that this should do this in policy

"identity:list_role_assignments": "rule:admin_or_monitoring or project_id:%(scope.project.id)s or user_id:%(scope.user.id)s"

However this doesn't work.

With project_id:%(scope.project.id)s it allows a user to list the roles of the project they are authed to but it doesn't work with user_id:%(scope.user.id)s"

I notice that when using the keystone client it treats filtering by user_id and project_id differently

When filtering by project it does:
/v3/role_assignments?scope.project.id=094ae1e2c08f4eddb444a9d9db71ab40

But when filtering by user it does:
/v3/role_assignments?user.id=d1fa8867e42444cf8724e65fef1da549

Is there something I'm missing here or is this possibly a bug?

Revision history for this message

Kristi Nikolla (knikolla) wrote on 2020-06-30:

Hi Sam,

In the context of authenticating within Keystone, there are 3 different scopes: project, domain, or system. User is not part of the scope.

I do not believe what you're trying to achieve is possible with that API call and policy changes. The target in the context is only constructed with scope.project.id as can be seen in the code [0].

In the meanwhile, it is possible with multiple API calls.

1) User can query the projects that the user has permission for. [1]
2) User can authenticate to the projects. The authentication call will return you the roles that you have available in that project.

[0]. https://github.com/openstack/keystone/blob/00031689126b2a40461921ac4715ff595fde51ae/keystone/api/role_assignments.py#L85
[1]. https://docs.openstack.org/api-ref/identity/v3/?expanded=get-available-project-scopes-detail#get-available-project-scopes

Revision history for this message

Sam Morrison (sorrison) wrote on 2020-06-30:

Ok thanks for the explanation Kristi, shame it's not possible as the workaround would be quite slow if the user is in lots of projects. (we have some users in over 50 projects)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.