yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74555
[Bug 1790428] [NEW] Keystone policy.json not matching domain_id
Public bug reported:
Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5
I created a rule in the Keystone policy.json that should match a custom
role (domain_admin) and match the domain_id. I tried 4 variations, only
the last variation worked, which has the domain_id hard-coded:
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain.id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain_id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(domain_id)s",
"domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:e93d848b2a274cb588676e029ae53348",
The goal was to use this rule for the project creation permission like this:
"identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id",
However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348):
Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403)
until I hard-coded the domain_id in the policy.json file, which led me
to believe that the syntax for the variable-driven
"domain_admin_and_matching_domain_id" rules is incorrect or something
else is wrong.
The user has the appropriate role assignment (note that this is a test
system, not production, so names and UUIDs can be publicly listed in
this ticket):
openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 | | | e93d848b2a274cb588676e029ae53348 | False |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
The respective UUIDs are listed here (filtered by hand to only include
this role):
openstack role list
+----------------------------------+-------------------------------+
| ID | Name |
+----------------------------------+-------------------------------+
| 13cf2d56ff594a56a9897787ab07cff5 | domain_admin |
+----------------------------------+-------------------------------+
openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin |
+----------------------------------+-------------------+
openstack domain list
+----------------------------------+------------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------------+---------+--------------------+
| e93d848b2a274cb588676e029ae53348 | TestDomain | True | |
+----------------------------------+------------------+---------+--------------------+
Am I missing something obvious in the policy.json file?
Thanks!
Eric
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1790428
Title:
Keystone policy.json not matching domain_id
Status in OpenStack Identity (keystone):
New
Bug description:
Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5
I created a rule in the Keystone policy.json that should match a
custom role (domain_admin) and match the domain_id. I tried 4
variations, only the last variation worked, which has the domain_id
hard-coded:
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain.id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(target.token.user.domain_id)s",
# "domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:%(domain_id)s",
"domain_admin_and_matching_domain_id": "role:domain_admin and
domain_id:e93d848b2a274cb588676e029ae53348",
The goal was to use this rule for the project creation permission like this:
"identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id",
However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348):
Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403)
until I hard-coded the domain_id in the policy.json file, which led me
to believe that the syntax for the variable-driven
"domain_admin_and_matching_domain_id" rules is incorrect or something
else is wrong.
The user has the appropriate role assignment (note that this is a test
system, not production, so names and UUIDs can be publicly listed in
this ticket):
openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| Role | User | Group | Project | Domain | Inherited |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
| 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 | | | e93d848b2a274cb588676e029ae53348 | False |
+----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
The respective UUIDs are listed here (filtered by hand to only include
this role):
openstack role list
+----------------------------------+-------------------------------+
| ID | Name |
+----------------------------------+-------------------------------+
| 13cf2d56ff594a56a9897787ab07cff5 | domain_admin |
+----------------------------------+-------------------------------+
openstack user list
+----------------------------------+-------------------+
| ID | Name |
+----------------------------------+-------------------+
| ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin |
+----------------------------------+-------------------+
openstack domain list
+----------------------------------+------------------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+------------------+---------+--------------------+
| e93d848b2a274cb588676e029ae53348 | TestDomain | True | |
+----------------------------------+------------------+---------+--------------------+
Am I missing something obvious in the policy.json file?
Thanks!
Eric
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1790428/+subscriptions
Follow ups