Bug 888066 - Log entry when a regular user does "keystone user-list" is not helpful
Log entry when a regular user does "keystone user-list" is not helpful
Status: CLOSED WONTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
2.1
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 5.0 (RHEL 7)
Assigned To: Adam Young
Ami Jeain
: FutureFeature, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-17 18:15 EST by Russell Bryant
Modified: 2015-06-04 17:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-27 10:45:01 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1266921 None None None Never

  None (edit)
Description Russell Bryant 2012-12-17 18:15:42 EST
"keystone user-list" is an admin only command.  When a regular user tries to execute it, you get a helpful response at the command line:

[root@rhel ~(keystone_username)]# keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)

However, this same message is in /var/log/keystone/keystone.log:

2012-12-17 17:27:29  WARNING [keystone.common.wsgi] You are not authorized to perform the requested action: admin_required

This log entry is not helpful.  As an administrator, all this tells you is that *someone* tried to execute *something* that they weren't allowed to.  Without any information about who or what, the log entry isn't useful.
Comment 2 Alan Pevec 2013-02-18 19:33:33 EST
> This log entry is not helpful.  As an administrator, all this tells you is
> that *someone* tried to execute *something* that they weren't allowed to. 
> Without any information about who or what, the log entry isn't useful.

keystone.exception.ForbiddenAction records only action, adding more context requires upstream changes in policy engine
Comment 4 Nathan Kinder 2014-02-27 10:45:01 EST
This was closed as WONTFIX upstream, as the issue only affects the v2 API (the problem is not present in v3).  Closing this as WONTFIX as well, as this doesn't seem like it's a critical issue.

Note You need to log in before you can comment on or make changes to this bug.