The policy file is protecting v3 API calls at the controller layer, but you're calling the v2 API. The policy decorators should be moved to the manager layer to protect both APIs equally... but we'd have to be very careful not to break deployments depending on the trivial "assert_admin" behavior (hence the reason we only wrapped v3 with the new policy decorators).
On Thu, Dec 12, 2013 at 1:41 AM, Qiu Yu <unic...@gmail.com> wrote: > Hi, > > I was trying to fine tune some keystone policy rules. Basically I want to > grant "create_project" action to user in "ops" role. And following are my > steps. > > 1. Adding a new user "usr1" > 2. Creating new role "ops" > 3. Granting this user a "ops" role in "service" tenant > 4. Adding new lines to keystone policy file > > "ops_required": [["role:ops"]], > "admin_or_ops": [["rule:admin_required"], ["rule:ops_required"]], > > 5. Change > > "identity:create_project": [["rule:admin_required"]], > to > "identity:create_project": [["rule:admin_or_ops"]], > > 6. Restart keystone service > > keystone tenant-create with credential of user "usr1" still returns 403 > Forbidden error. > “You are not authorized to perform the requested action, admin_required. > (HTTP 403)” > > After some quick scan, it seems that create_project function has a > hard-coded assert_admin call[1], which does not respect settings in the > policy file. > > Any ideas why? Is it a bug to fix? Thanks! > BTW, I'm running keystone havana release with V2 API. > > [1] > https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L105 > > Thanks, > -- > Qiu Yu > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Dolph
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
