yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1699060] Re: Impossible to define policy rule based on domain ID

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: gordon chung <gord@xxxxxxx>
Date: Tue, 20 Jun 2017 12:44:23 -0000
Reply-to: Bug 1699060 <1699060@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

please don't create these openstack-wide bugs, it spams everyone. i've
removed telemetry projects but feel free to apply patches to them (don't
do it for ceilometer since it doesn't have an active api).

** No longer affects: aodh

** No longer affects: ceilometer

** No longer affects: panko

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699060

Title:
Impossible to define policy rule based on domain ID

Status in Cinder:
New
Status in Glance:
New
Status in heat:
New
Status in Manila:
New
Status in Murano:
New
Status in neutron:
New
Status in OpenStack Compute (nova):
New
Status in watcher:
New

Bug description:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.

As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",

like this:

"volume:get": "rule:domain_owner",

"volume:get": "rule:admin_or_domain_owner",

Right now, we always get 403 error having such rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions

References

[Bug 1699060] [NEW] Impossible to define policy rule based on domain ID
From: Valeriy Ponomaryov, 2017-06-20