diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2015-04-16 19:12:45 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2015-04-17 10:14:57 -0700 |
| commit | 4c107e6f1b1913988e208b31206c84ab851b780c (patch) | |
| tree | c5de7fd4ebb63768224af39d27d6d040fcb821dc /python-openstackclient/locale/python-openstackclient.pot | |
| parent | b72f2fb7eead6287fbdd07c369c0462586f37785 (diff) | |
| download | python-openstackclient-4c107e6f1b1913988e208b31206c84ab851b780c.tar.gz | |
Role operations should not require list object permission
When using Keystone's policy.v3cloudsample.json policy file, a project admin is
supposed to be able to manage role assignments. Unfortunately, a project admin
isn't allowed to perform these operations using python-openstackclient, as we
attempt to perform list operations for any of the object types specified (users,
groups, projects). This is done in an attempt to lookup the id of the object by
name, but we perform this list operation even when the user specifies everything
by id. This causes 403 errors.
This patch still attempts to look up the object id by name, but we catch the 403
and assume that the user specified an id if the list operation is not allowed.
This is similar to what we do with the --domain option for other commands.
Closes-bug: #1445528
Change-Id: Id95a8520e935c1092d5a22ecd8ea01f572334ac8
Diffstat (limited to 'python-openstackclient/locale/python-openstackclient.pot')
0 files changed, 0 insertions, 0 deletions