Bug 888066 - Log entry when a regular user does "keystone user-list" is not helpful
Summary: Log entry when a regular user does "keystone user-list" is not helpful
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 2.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 5.0 (RHEL 7)
Assignee: Adam Young
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-17 23:15 UTC by Russell Bryant
Modified: 2015-06-04 21:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-27 15:45:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1266921 0 None None None Never

Description Russell Bryant 2012-12-17 23:15:42 UTC 
"keystone user-list" is an admin only command.  When a regular user tries to execute it, you get a helpful response at the command line:

[root@rhel ~(keystone_username)]# keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)

However, this same message is in /var/log/keystone/keystone.log:

2012-12-17 17:27:29  WARNING [keystone.common.wsgi] You are not authorized to perform the requested action: admin_required

This log entry is not helpful.  As an administrator, all this tells you is that *someone* tried to execute *something* that they weren't allowed to.  Without any information about who or what, the log entry isn't useful.
Comment 2 Alan Pevec 2013-02-19 00:33:33 UTC 
> This log entry is not helpful.  As an administrator, all this tells you is
> that *someone* tried to execute *something* that they weren't allowed to. 
> Without any information about who or what, the log entry isn't useful.

keystone.exception.ForbiddenAction records only action, adding more context requires upstream changes in policy engine
Comment 4 Nathan Kinder 2014-02-27 15:45:01 UTC 
This was closed as WONTFIX upstream, as the issue only affects the v2 API (the problem is not present in v3).  Closing this as WONTFIX as well, as this doesn't seem like it's a critical issue.
Note You need to log in before you can comment on or make changes to this bug.