yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1790428] [NEW] Keystone policy.json not matching domain_id

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Eric Miller <1790428@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Sep 2018 02:59:43 -0000
Reply-to: Bug 1790428 <1790428@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5

I created a rule in the Keystone policy.json that should match a custom
role (domain_admin) and match the domain_id.  I tried 4 variations, only
the last variation worked, which has the domain_id hard-coded:

#    "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain.id)s",

#    "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain_id)s",

#    "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(domain_id)s",

    "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:e93d848b2a274cb588676e029ae53348",

The goal was to use this rule for the project creation permission like this:
"identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id",

However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348):
Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403)

until I hard-coded the domain_id in the policy.json file, which led me
to believe that the syntax for the variable-driven
"domain_admin_and_matching_domain_id" rules is incorrect or something
else is wrong.

The user has the appropriate role assignment (note that this is a test
system, not production, so names and UUIDs can be publicly listed in
this ticket):

openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role                             | User                             | Group | Project | Domain                           | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 |       |         | e93d848b2a274cb588676e029ae53348 | False     |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

The respective UUIDs are listed here (filtered by hand to only include
this role):

openstack role list
+----------------------------------+-------------------------------+
| ID                               | Name                          |
+----------------------------------+-------------------------------+
| 13cf2d56ff594a56a9897787ab07cff5 | domain_admin                  |
+----------------------------------+-------------------------------+

openstack user list
+----------------------------------+-------------------+
| ID                               | Name              |
+----------------------------------+-------------------+
| ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin   |
+----------------------------------+-------------------+

openstack domain list
+----------------------------------+------------------+---------+--------------------+
| ID                               | Name             | Enabled | Description        |
+----------------------------------+------------------+---------+--------------------+
| e93d848b2a274cb588676e029ae53348 | TestDomain       | True    |                    |
+----------------------------------+------------------+---------+--------------------+

Am I missing something obvious in the policy.json file?

Thanks!

Eric

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1790428

Title:
  Keystone policy.json not matching domain_id

Status in OpenStack Identity (keystone):
  New

Bug description:
  Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5

  I created a rule in the Keystone policy.json that should match a
  custom role (domain_admin) and match the domain_id.  I tried 4
  variations, only the last variation worked, which has the domain_id
  hard-coded:

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(target.token.user.domain.id)s",

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(target.token.user.domain_id)s",

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(domain_id)s",

      "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:e93d848b2a274cb588676e029ae53348",

  The goal was to use this rule for the project creation permission like this:
  "identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id",

  However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348):
  Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403)

  until I hard-coded the domain_id in the policy.json file, which led me
  to believe that the syntax for the variable-driven
  "domain_admin_and_matching_domain_id" rules is incorrect or something
  else is wrong.

  The user has the appropriate role assignment (note that this is a test
  system, not production, so names and UUIDs can be publicly listed in
  this ticket):

  openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | Role                             | User                             | Group | Project | Domain                           | Inherited |
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 |       |         | e93d848b2a274cb588676e029ae53348 | False     |
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

  The respective UUIDs are listed here (filtered by hand to only include
  this role):

  openstack role list
  +----------------------------------+-------------------------------+
  | ID                               | Name                          |
  +----------------------------------+-------------------------------+
  | 13cf2d56ff594a56a9897787ab07cff5 | domain_admin                  |
  +----------------------------------+-------------------------------+

  openstack user list
  +----------------------------------+-------------------+
  | ID                               | Name              |
  +----------------------------------+-------------------+
  | ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin   |
  +----------------------------------+-------------------+

  openstack domain list
  +----------------------------------+------------------+---------+--------------------+
  | ID                               | Name             | Enabled | Description        |
  +----------------------------------+------------------+---------+--------------------+
  | e93d848b2a274cb588676e029ae53348 | TestDomain       | True    |                    |
  +----------------------------------+------------------+---------+--------------------+

  Am I missing something obvious in the policy.json file?

  Thanks!

  Eric

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1790428/+subscriptions
Follow ups

[Bug 1790428] Re: Keystone policy.json not matching domain_id
From: Adam Young, 2018-09-11