Just to be clear, this has always been the case. THe documentation for the cloud sample stated it needed to be edited.
Of course, I tripped over this exact problem. A few times. I once proposed reading policy values from the config file as a work around. But this is not a bug. As Lance put, work is underway to make sure we don't need to do this in the future, but the cloudsample is just that, as sample policy file, and it needs to be edited to be correct. ** Changed in: keystone Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1790428 Title: Keystone policy.json not matching domain_id Status in OpenStack Identity (keystone): Invalid Bug description: Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5 I created a rule in the Keystone policy.json that should match a custom role (domain_admin) and match the domain_id. I tried 4 variations, only the last variation worked, which has the domain_id hard-coded: # "domain_admin_and_matching_domain_id": "role:domain_admin and domain_id:%(target.token.user.domain.id)s", # "domain_admin_and_matching_domain_id": "role:domain_admin and domain_id:%(target.token.user.domain_id)s", # "domain_admin_and_matching_domain_id": "role:domain_admin and domain_id:%(domain_id)s", "domain_admin_and_matching_domain_id": "role:domain_admin and domain_id:e93d848b2a274cb588676e029ae53348", The goal was to use this rule for the project creation permission like this: "identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id", However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348): Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403) until I hard-coded the domain_id in the policy.json file, which led me to believe that the syntax for the variable-driven "domain_admin_and_matching_domain_id" rules is incorrect or something else is wrong. The user has the appropriate role assignment (note that this is a test system, not production, so names and UUIDs can be publicly listed in this ticket): openstack role assignment list --domain e93d848b2a274cb588676e029ae53348 +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ | 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 | | | e93d848b2a274cb588676e029ae53348 | False | +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+ The respective UUIDs are listed here (filtered by hand to only include this role): openstack role list +----------------------------------+-------------------------------+ | ID | Name | +----------------------------------+-------------------------------+ | 13cf2d56ff594a56a9897787ab07cff5 | domain_admin | +----------------------------------+-------------------------------+ openstack user list +----------------------------------+-------------------+ | ID | Name | +----------------------------------+-------------------+ | ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin | +----------------------------------+-------------------+ openstack domain list +----------------------------------+------------------+---------+--------------------+ | ID | Name | Enabled | Description | +----------------------------------+------------------+---------+--------------------+ | e93d848b2a274cb588676e029ae53348 | TestDomain | True | | +----------------------------------+------------------+---------+--------------------+ Am I missing something obvious in the policy.json file? Thanks! Eric To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1790428/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp