python-openstackclient

openstack/python-openstackclient

Commit Graph

Author	SHA1	Message	Date
Nathan Kinder	4c107e6f1b	Role operations should not require list object permission When using Keystone's policy.v3cloudsample.json policy file, a project admin is supposed to be able to manage role assignments. Unfortunately, a project admin isn't allowed to perform these operations using python-openstackclient, as we attempt to perform list operations for any of the object types specified (users, groups, projects). This is done in an attempt to lookup the id of the object by name, but we perform this list operation even when the user specifies everything by id. This causes 403 errors. This patch still attempts to look up the object id by name, but we catch the 403 and assume that the user specified an id if the list operation is not allowed. This is similar to what we do with the --domain option for other commands. Closes-bug: #1445528 Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8	2015-04-17 10:14:57 -07:00
wanghong	e3ba13b320	add doc for role assignment command Change-Id: I594d444b6d1ec4e72bed03394178293737f26069	2014-12-24 14:23:25 +08:00
henriquetruta	58f80e4c75	Add role assignments list support to identity v3 The assignments manager and its test class were created. Some fake stubs were also added on the fakes.py module. The "openstack role assignment list" command was created. Change-Id: Iae94f4fee608ea3e09ff38961ad22edc38efb89c Implements: blueprint roles-assignment-list Closes-Bug: 1246310	2014-05-30 15:55:24 -03:00

Author

SHA1

Message

Date

Nathan Kinder

4c107e6f1b

Role operations should not require list object permission

When using Keystone's policy.v3cloudsample.json policy file, a project admin is
supposed to be able to manage role assignments.  Unfortunately, a project admin
isn't allowed to perform these operations using python-openstackclient, as we
attempt to perform list operations for any of the object types specified (users,
groups, projects). This is done in an attempt to lookup the id of the object by
name, but we perform this list operation even when the user specifies everything
by id. This causes 403 errors.

This patch still attempts to look up the object id by name, but we catch the 403
and assume that the user specified an id if the list operation is not allowed.
This is similar to what we do with the --domain option for other commands.

Closes-bug: #1445528
Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8

2015-04-17 10:14:57 -07:00

wanghong

e3ba13b320

add doc for role assignment command

Change-Id: I594d444b6d1ec4e72bed03394178293737f26069

2014-12-24 14:23:25 +08:00

henriquetruta

58f80e4c75

Add role assignments list support to identity v3

The assignments manager and its test class were created.
Some fake stubs were also added on the fakes.py module.

The "openstack role assignment list" command was created.

Change-Id: Iae94f4fee608ea3e09ff38961ad22edc38efb89c
Implements: blueprint roles-assignment-list
Closes-Bug: 1246310

2014-05-30 15:55:24 -03:00

3 Commits