Description of problem: In a standard OSP 10 installation, I've created a project associated to an AZ. I've created 2 users. one has admin role the other one _member_ role. Using the user with role memeber i can still list ALL the AZs. Customer believes this shouldn't be possible. [root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user user-1 --names +----------+--------+---------+ | Role | User | Project | +----------+--------+---------+ | _member_ | user-1 | test-1 | +----------+--------+---------+ [root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user admin-1 --names +----------+---------+---------+ | Role | User | Project | +----------+---------+---------+ | _member_ | admin-1 | test-1 | | admin | admin-1 | test-1 | +----------+---------+---------+ [root@rhosp10-controller ~(keystone_admin)]# openstack availability zone list +-----------+-------------+ | Zone Name | Zone Status | +-----------+-------------+ | internal | available | | AZ2 | available | | AZ1 | available | | nova | available | | nova | available | | nova | available | +-----------+-------------+ [root@rhosp10-controller ~(keystone_admin)]# source keystonerc_user-1 [root@rhosp10-controller ~(user-1)]# openstack availability zone list +-----------+-------------+ | Zone Name | Zone Status | +-----------+-------------+ | AZ2 | available | | AZ1 | available | | nova | available | | nova | available | | nova | available | +-----------+-------------+ Version-Release number of selected component (if applicable): python-keystone-10.0.3-1.el7ost.noarch python-keystoneclient-3.5.1-1.el7ost.noarch python-keystonemiddleware-4.9.1-1.el7ost.noarch puppet-keystone-9.5.0-5.el7ost.noarch openstack-keystone-10.0.3-1.el7ost.noarch python-keystoneauth1-2.12.3-1.el7ost.noarch How reproducible: Same behavior with a brand new OSP 10 install. Steps to Reproduce: [root@rhosp10-controller ~(keystone_admin)]# nova aggregate-create az1 AZ1 +----+------+-------------------+-------+-------------------------+ | Id | Name | Availability Zone | Hosts | Metadata | +----+------+-------------------+-------+-------------------------+ | 1 | az1 | AZ1 | | 'availability_zone=AZ1' | +----+------+-------------------+-------+-------------------------+ [root@rhosp10-controller ~(keystone_admin)]# nova aggregate-add-host az1 rhosp10-compute01 Host rhosp10-compute01 has been successfully added for aggregate 1 +----+------+-------------------+---------------------+-------------------------+ | Id | Name | Availability Zone | Hosts | Metadata | +----+------+-------------------+---------------------+-------------------------+ | 1 | az1 | AZ1 | 'rhosp10-compute01' | 'availability_zone=AZ1' | +----+------+-------------------+---------------------+-------------------------+ [root@rhosp10-controller ~(keystone_admin)]# openstack project create test-1 +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | enabled | True | | id | 632863bbfa874fc7bbfe6ea74830f0f2 | | name | test-1 | +-------------+----------------------------------+ [root@rhosp10-controller ~(keystone_admin)]# openstack user create user-1 --project test-1 --password q1w2e3r4 +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | email | None | | enabled | True | | id | 5fea433caa20497b934d6f760c28e031 | | name | user-1 | | project_id | 632863bbfa874fc7bbfe6ea74830f0f2 | | username | user-1 | +------------+----------------------------------+ Actual results: [root@rhosp10-controller ~(user-1)]# openstack availability zone list +-----------+-------------+ | Zone Name | Zone Status | +-----------+-------------+ | AZ2 | available | | AZ1 | available | +-----------+-------------+ Expected results: [root@rhosp10-controller ~(user-1)]# openstack availability zone list +-----------+-------------+ | Zone Name | Zone Status | +-----------+-------------+ | AZ1 | available | +-----------+-------------+ Additional info:
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days