← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1699060] [NEW] Impossible to define policy rule based on domain ID

 

Public bug reported:

We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.

As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",

like this:

"volume:get": "rule:domain_owner",

or

"volume:get": "rule:admin_or_domain_owner",

Right now, we always get 403 error having such rules.

** Affects: cinder
     Importance: Undecided
         Status: New

** Affects: glance
     Importance: Undecided
         Status: New

** Affects: heat
     Importance: Undecided
         Status: New

** Affects: manila
     Importance: Undecided
         Status: New

** Affects: murano
     Importance: Undecided
         Status: New

** Affects: neutron
     Importance: Undecided
         Status: New

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: policy

** Also affects: manila
   Importance: Undecided
       Status: New

** Description changed:

  We have common approach to set rules for each API using policy.json file.
  And for the moment, it is not possible to use "domain_id" in policy rules,
  only "project_id" and "user_id". It becomes very important because Keystone API v3
  is used more and more.
  The only service that supports rules with "domain_id" is Keystone itself.
+ 
+ As a result we should be able to use following rules:
+ "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
+ "domain_owner": "domain_id:%(domain_id)s",
+ 
+ like this:
+ 
+ "volume:get": "rule:domain_owner",
+ 
+ or
+ 
+ "volume:get": "rule:admin_or_domain_owner",

** Tags added: policy

** Also affects: nova
   Importance: Undecided
       Status: New

** Also affects: neutron
   Importance: Undecided
       Status: New

** Also affects: glance
   Importance: Undecided
       Status: New

** Also affects: murano
   Importance: Undecided
       Status: New

** Also affects: heat
   Importance: Undecided
       Status: New

** Description changed:

  We have common approach to set rules for each API using policy.json file.
  And for the moment, it is not possible to use "domain_id" in policy rules,
  only "project_id" and "user_id". It becomes very important because Keystone API v3
  is used more and more.
  The only service that supports rules with "domain_id" is Keystone itself.
  
  As a result we should be able to use following rules:
  "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
  "domain_owner": "domain_id:%(domain_id)s",
  
  like this:
  
  "volume:get": "rule:domain_owner",
  
  or
  
  "volume:get": "rule:admin_or_domain_owner",
+ 
+ Right now, we always get 403 error having such rules.

** Description changed:

  We have common approach to set rules for each API using policy.json file.
  And for the moment, it is not possible to use "domain_id" in policy rules,
- only "project_id" and "user_id". It becomes very important because Keystone API v3
- is used more and more.
+ only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
  The only service that supports rules with "domain_id" is Keystone itself.
  
  As a result we should be able to use following rules:
  "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
  "domain_owner": "domain_id:%(domain_id)s",
  
  like this:
  
  "volume:get": "rule:domain_owner",
  
  or
  
  "volume:get": "rule:admin_or_domain_owner",
  
  Right now, we always get 403 error having such rules.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1699060

Title:
  Impossible to define policy rule based on domain ID

Status in Cinder:
  New
Status in Glance:
  New
Status in heat:
  New
Status in Manila:
  New
Status in Murano:
  New
Status in neutron:
  New
Status in OpenStack Compute (nova):
  New

Bug description:
  We have common approach to set rules for each API using policy.json file.
  And for the moment, it is not possible to use "domain_id" in policy rules,
  only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
  The only service that supports rules with "domain_id" is Keystone itself.

  As a result we should be able to use following rules:
  "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
  "domain_owner": "domain_id:%(domain_id)s",

  like this:

  "volume:get": "rule:domain_owner",

  or

  "volume:get": "rule:admin_or_domain_owner",

  Right now, we always get 403 error having such rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions


Follow ups