Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managing projects requires admin role #716

Closed
racciari opened this issue Mar 22, 2019 · 1 comment · Fixed by #833
Closed

Managing projects requires admin role #716

racciari opened this issue Mar 22, 2019 · 1 comment · Fixed by #833
Labels
enhancement

Comments

@racciari
Copy link

Terraform Version

$ ./terraform -v
Terraform v0.12.0-beta1

  • provider.openstack v1.16.1-dev20190216h00-dev

Affected Resource(s)

  • openstack_identity_project_v3

Terraform Configuration Files

### Configure the OpenStack Provider

### Provider
provider "openstack" {
  user_name   = "${var.openstack_username}"
  password    = "${var.openstack_password}"
  tenant_name = "${var.openstack_project_name}"
  auth_url    = "${var.openstack_auth_url}"
  region      = "${var.openstack_region}"
}

### Project
data "openstack_identity_project_v3" "tf_project" {
  name = "test"
}

Debug Output

With non-admin credentials:

terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.openstack_identity_project_v3.tf_project: Refreshing state...

Error: Unable to query openstack_identity_project_v3: Request forbidden: [GET http://10.0.0.1:5000/v3/projects?enabled=true&is_domain=false&name=test], error message: {"error": {"message": "You are not authorized to perform the requested action: identity:list_projects", "code": 403, "title": "Forbidden"}}

  on project.tf line 13, in data "openstack_identity_project_v3" "tf_project":
  13: data "openstack_identity_project_v3" "tf_project" {

With admin credentials:

terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.openstack_identity_project_v3.tf_project: Refreshing state...

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Expected Behavior

Retrieving project informations must be accessible to non-admin users.
First, it would be easy to add a "project id" parameter, if used, the project listing can by avoided.
For a better implementation of this, you need to use the ListProjects from the users package.

Actual Behavior

Retrieving project informations in Terraform uses project listing which is only accessible to admin users due to the default access policy in Keystone: "identity:list_projects": "rule:admin_required".

Steps to Reproduce

Set your credentials, then:

  1. terraform plan
@jtopjian
Copy link
Contributor

jtopjian commented Mar 22, 2019
edited
Loading

@racciari Does openstack_identity_auth_scope_v3 help resolve this issue?

If not, can you let us know what OpenStack commands / API calls you would use as a regular user to obtain the results you're looking for?

edit: Oh, nevermind.

For a better implementation of this, you need to use the ListProjects from the users package.

Right. This should be possible to do.

pablomartinez added a commit to pablomartinez/terraform-provider-openstack that referenced this issue Aug 8, 2019
@pablomartinez
Fixes terraform-provider-openstack#716 "Managing projects requires ad…
9e235ff 
…min role" by using the users.ListProjects API entry point if not admin permission
@pablomartinez pablomartinez mentioned this issue Aug 8, 2019
Merged
ozerovandrei pushed a commit that referenced this issue Sep 1, 2019
@pablomartinez @ozerovandrei
Fixes #716 "Managing projects requires admin role" by using the users…
daff3b5 
….ListProjects API entry point if not admin permission (#833)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
2 participants
@jtopjian @racciari