yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #08036
[Bug 1267215] [NEW] policy.v3cloudsample.json contains unparsable items
Public bug reported:
havana policy.v3cloudsample.json file containts something that can't be parsed. Keystone logs 'Can't load the rule' (or something similar) filing on split(':')
"identity:list_role_assignments": [["admin_on_domain_filter"],
["admin_on_project_filter"]],
I guess it should be
"identity:list_role_assignments": [["rule:admin_on_domain_filter"],
["rule:admin_on_project_filter"]],
Also I found that I was hardly able work with grants for projects inside not default domain.
I solved it by changing the rules (probably ones provided in sample policy.json also can be changed):
"admin_on_domain_target" : [["rule:admin_required", "domain_id:%(target.domain.id)s"]],
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"identity:check_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:list_grants": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:create_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:revoke_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
to
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"admin_on_project_domain_target" : [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"grant_admin" : [["rule:admin_on_project_target"],
["rule:admin_on_project_domain_target"]],
"identity:check_grant": [["rule:grant_admin"]],
"identity:list_grants": [["rule:grant_admin"]],
"identity:create_grant": [["rule:grant_admin"]],
"identity:revoke_grant": [["rule:grant_admin"]],
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1267215
Title:
policy.v3cloudsample.json contains unparsable items
Status in OpenStack Identity (Keystone):
New
Bug description:
havana policy.v3cloudsample.json file containts something that can't be parsed. Keystone logs 'Can't load the rule' (or something similar) filing on split(':')
"identity:list_role_assignments": [["admin_on_domain_filter"],
["admin_on_project_filter"]],
I guess it should be
"identity:list_role_assignments": [["rule:admin_on_domain_filter"],
["rule:admin_on_project_filter"]],
Also I found that I was hardly able work with grants for projects inside not default domain.
I solved it by changing the rules (probably ones provided in sample policy.json also can be changed):
"admin_on_domain_target" : [["rule:admin_required", "domain_id:%(target.domain.id)s"]],
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"identity:check_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:list_grants": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:create_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
"identity:revoke_grant": [["rule:admin_on_project_target"],
["rule:admin_on_domain_target"]],
to
"admin_on_project_target" : [["rule:admin_required", "project_id:%(target.project.id)s"]],
"admin_on_project_domain_target" : [["rule:admin_required", "domain_id:%(target.project.domain_id)s"]],
"grant_admin" : [["rule:admin_on_project_target"],
["rule:admin_on_project_domain_target"]],
"identity:check_grant": [["rule:grant_admin"]],
"identity:list_grants": [["rule:grant_admin"]],
"identity:create_grant": [["rule:grant_admin"]],
"identity:revoke_grant": [["rule:grant_admin"]],
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1267215/+subscriptions
Follow ups
References
