yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #65142
[Bug 1699060] [NEW] Impossible to define policy rule based on domain ID
Public bug reported:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",
like this:
"volume:get": "rule:domain_owner",
or
"volume:get": "rule:admin_or_domain_owner",
Right now, we always get 403 error having such rules.
** Affects: cinder
Importance: Undecided
Status: New
** Affects: glance
Importance: Undecided
Status: New
** Affects: heat
Importance: Undecided
Status: New
** Affects: manila
Importance: Undecided
Status: New
** Affects: murano
Importance: Undecided
Status: New
** Affects: neutron
Importance: Undecided
Status: New
** Affects: nova
Importance: Undecided
Status: New
** Tags: policy
** Also affects: manila
Importance: Undecided
Status: New
** Description changed:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3
is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
+
+ As a result we should be able to use following rules:
+ "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
+ "domain_owner": "domain_id:%(domain_id)s",
+
+ like this:
+
+ "volume:get": "rule:domain_owner",
+
+ or
+
+ "volume:get": "rule:admin_or_domain_owner",
** Tags added: policy
** Also affects: nova
Importance: Undecided
Status: New
** Also affects: neutron
Importance: Undecided
Status: New
** Also affects: glance
Importance: Undecided
Status: New
** Also affects: murano
Importance: Undecided
Status: New
** Also affects: heat
Importance: Undecided
Status: New
** Description changed:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3
is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",
like this:
"volume:get": "rule:domain_owner",
or
"volume:get": "rule:admin_or_domain_owner",
+
+ Right now, we always get 403 error having such rules.
** Description changed:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
- only "project_id" and "user_id". It becomes very important because Keystone API v3
- is used more and more.
+ only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",
like this:
"volume:get": "rule:domain_owner",
or
"volume:get": "rule:admin_or_domain_owner",
Right now, we always get 403 error having such rules.
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1699060
Title:
Impossible to define policy rule based on domain ID
Status in Cinder:
New
Status in Glance:
New
Status in heat:
New
Status in Manila:
New
Status in Murano:
New
Status in neutron:
New
Status in OpenStack Compute (nova):
New
Bug description:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",
like this:
"volume:get": "rule:domain_owner",
or
"volume:get": "rule:admin_or_domain_owner",
Right now, we always get 403 error having such rules.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions
Follow ups
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Morgan Fainberg, 2018-10-24
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Alexander Chadin, 2018-02-28
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Akihiro Motoki, 2018-01-30
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Sean McGinnis, 2018-01-18
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Ben Swartzlander, 2018-01-18
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Sean Dague, 2017-06-23
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Kirill Zaitsev, 2017-06-20
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: gordon chung, 2017-06-20
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Valeriy Ponomaryov, 2017-06-20
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Valeriy Ponomaryov, 2017-06-20
-
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
From: Valeriy Ponomaryov, 2017-06-20