yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #70710
[Bug 1699060] Re: Impossible to define policy rule based on domain ID
I agree with Sean. It is worth tackled as a cross project topic.
As an individual project, neutron triages this in the same way as nova
does.
** Changed in: neutron
Status: New => Opinion
** Changed in: neutron
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699060
Title:
Impossible to define policy rule based on domain ID
Status in Glance:
New
Status in OpenStack Heat:
Triaged
Status in Manila:
Opinion
Status in neutron:
Opinion
Status in OpenStack Compute (nova):
Opinion
Status in oslo.policy:
New
Status in watcher:
New
Bug description:
We have common approach to set rules for each API using policy.json file.
And for the moment, it is not possible to use "domain_id" in policy rules,
only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
The only service that supports rules with "domain_id" is Keystone itself.
As a result we should be able to use following rules:
"admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
"domain_owner": "domain_id:%(domain_id)s",
like this:
"volume:get": "rule:domain_owner",
or
"volume:get": "rule:admin_or_domain_owner",
Right now, we always get 403 error having such rules.
Related mail-list thread: https://openstack.nimeyo.com/115438
/openstack-dev-all-policy-rules-for-apis-based-on-domain_id
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions
References