← Back to team overview

openstack team mailing list archive

[Keystone] Policy settings not working correctly


Heyho guys :)

I've a little problem with policy settings in keystone. I've create a
new rule in my policy-file and restarts keystone but keystone i don't
have privileges.


keystone user-create --name kadmin --pw lala
keystone user-role-add --

keystone role-list --user kadmin --role KeystoneAdmin --tenant admin

|                id                |         name         |
| 3f5c0af585db46aeaec49da28900de28 |    KeystoneAdmin     |
| dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |

cat /etc/keystone/policy.json

    "admin_required": [["role:admin"], ["is_admin:1"]],
    "owner" : [["user_id:%(user_id)s"]],
    "admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
    "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]],

    "default": [["rule:admin_required"]],
    "identity:list_users": [["rule:admin_or_kadmin"]],

<loading kadmin creds>

keystone user-list
Unable to communicate with identity service: {"error": {"message": "You
are not authorized to perform the requested action: admin_required",
"code": 403, "title": "Not Authorized"}}. (HTTP 403)

In log file i see:
DEBUG [keystone.policy.backends.rules] enforce admin_required:
{'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}

Why does keystone enforce /admin_required/ rule instead of the defined
rule (/admin_or_kadmin/).

Keystone conf:

# Path to your policy definition containing identity actions
policy_file = policy.json
driver = keystone.policy.backends.rules.Policy

Any have an idea ?

Thx and greetings

Follow ups