[Yahoo-eng-team] [Bug 1267215] Re: policy.v3cloudsample.json contains unparsable items

Sun, 21 Sep 2014 07:32:00 -0700 

At this point it is too late for this fix to land in Havana. Marking as
won't fix.

** Changed in: keystone/havana
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1267215

Title:
  policy.v3cloudsample.json contains unparsable items

Status in OpenStack Identity (Keystone):
  Invalid
Status in Keystone havana series:
  Won't Fix

Bug description:
  havana policy.v3cloudsample.json file containts something that can't be 
parsed.  Keystone logs 'Can't load the rule' (or something similar) failing on 
split(':')
      "identity:list_role_assignments": [["admin_on_domain_filter"],
                                         ["admin_on_project_filter"]],

  I guess it should be
      "identity:list_role_assignments": [["rule:admin_on_domain_filter"],
                                         ["rule:admin_on_project_filter"]],

  Also I found that I was hardly able work with grants for projects  inside not 
default domain.
  I solved it by changing the rules (probably ones provided in sample 
policy.json also can be changed):
     "admin_on_domain_target" : [["rule:admin_required", 
"domain_id:%(target.domain.id)s"]],
      "admin_on_project_target" : [["rule:admin_required", 
"project_id:%(target.project.id)s"]],
      "identity:check_grant": [["rule:admin_on_project_target"],
                               ["rule:admin_on_domain_target"]],
      "identity:list_grants": [["rule:admin_on_project_target"],
                               ["rule:admin_on_domain_target"]],
      "identity:create_grant": [["rule:admin_on_project_target"],
                                ["rule:admin_on_domain_target"]],
      "identity:revoke_grant": [["rule:admin_on_project_target"],
                                ["rule:admin_on_domain_target"]],

  to
      "admin_on_project_target" : [["rule:admin_required", 
"project_id:%(target.project.id)s"]],
      "admin_on_project_domain_target" : [["rule:admin_required", 
"domain_id:%(target.project.domain_id)s"]],
      "grant_admin" : [["rule:admin_on_project_target"],
                       ["rule:admin_on_project_domain_target"]],
      "identity:check_grant": [["rule:grant_admin"]],
      "identity:list_grants": [["rule:grant_admin"]],
      "identity:create_grant": [["rule:grant_admin"]],
      "identity:revoke_grant": [["rule:grant_admin"]],

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1267215/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to