Public bug reported:
Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5
I created a rule in the Keystone policy.json that should match a custom
role (domain_admin) and match the domain_id. I tried 4 variations, only
the last variation worked, which has the domain_id hard-coded:
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain.id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain_id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(domain_id)s",
"domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:e93d848b2a274cb588676e029ae53348",
The goal was to use this rule for the project creation permission like this:
"identity:create_project": "rule:cloud_admin or
rule:domain_admin_and_matching_domain_id",
However, I always got an error when creating a project with a test user who
belongs to the domain_admin role and the respective domain
(e93d848b2a274cb588676e029ae53348):
Forbidden: You are not authorized to perform the requested action:
identity:create_project. (HTTP 403)
until I hard-coded the domain_id in the policy.json file, which led me
to believe that the syntax for the variable-driven
"domain_admin_and_matching_domain_id" rules is incorrect or something
else is wrong.
The user has the appropriate role assignment (note that this is a test
system, not production, so names and UUIDs can be publicly listed in
this ticket):
openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role | User | Group |
Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 | |
| e93d848b2a274cb588676e029ae53348 | False |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
The respective UUIDs are listed here (filtered by hand to only include
this role):
openstack role list
+----------------------------------+-------------------------------+
| ID | Name |
+----------------------------------+-------------------------------+
| 13cf2d56ff594a56a9897787ab07cff5 | domain_admin |
+----------------------------------+-------------------------------+
openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin |
+----------------------------------+-------------------+
openstack domain list
+----------------------------------+------------------+---------+--------------------+
| ID | Name | Enabled | Description
|
+----------------------------------+------------------+---------+--------------------+
| e93d848b2a274cb588676e029ae53348 | TestDomain | True |
|
+----------------------------------+------------------+---------+--------------------+
Am I missing something obvious in the policy.json file?
Thanks!
Eric
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1790428
Title:
Keystone policy.json not matching domain_id
Status in OpenStack Identity (keystone):
New
Bug description:
Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5
I created a rule in the Keystone policy.json that should match a
custom role (domain_admin) and match the domain_id. I tried 4
variations, only the last variation worked, which has the domain_id
hard-coded:
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain.id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain_id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(domain_id)s",
"domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:e93d848b2a274cb588676e029ae53348",
The goal was to use this rule for the project creation permission like this:
"identity:create_project": "rule:cloud_admin or
rule:domain_admin_and_matching_domain_id",
However, I always got an error when creating a project with a test user who
belongs to the domain_admin role and the respective domain
(e93d848b2a274cb588676e029ae53348):
Forbidden: You are not authorized to perform the requested action:
identity:create_project. (HTTP 403)
until I hard-coded the domain_id in the policy.json file, which led me
to believe that the syntax for the variable-driven
"domain_admin_and_matching_domain_id" rules is incorrect or something
else is wrong.
The user has the appropriate role assignment (note that this is a test
system, not production, so names and UUIDs can be publicly listed in
this ticket):
openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role | User | Group
| Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 |
| | e93d848b2a274cb588676e029ae53348 | False |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
The respective UUIDs are listed here (filtered by hand to only include
this role):
openstack role list
+----------------------------------+-------------------------------+
| ID | Name |
+----------------------------------+-------------------------------+
| 13cf2d56ff594a56a9897787ab07cff5 | domain_admin |
+----------------------------------+-------------------------------+
openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin |
+----------------------------------+-------------------+
openstack domain list
+----------------------------------+------------------+---------+--------------------+
| ID | Name | Enabled | Description
|
+----------------------------------+------------------+---------+--------------------+
| e93d848b2a274cb588676e029ae53348 | TestDomain | True |
|
+----------------------------------+------------------+---------+--------------------+
Am I missing something obvious in the policy.json file?
Thanks!
Eric
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1790428/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
