yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1790428] Re: Keystone policy.json not matching domain_id

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Adam Young <1790428@xxxxxxxxxxxxxxxxxx>
Date: Tue, 11 Sep 2018 15:17:36 -0000
Reply-to: Bug 1790428 <1790428@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Just to be clear, this has always been the case.  THe documentation for
the cloud sample stated it needed to be edited.

Of course, I tripped over this exact problem.  A few times.  I once
proposed reading policy values from the config file as a work around.

But this is not a bug.  As Lance put, work is underway to make sure we
don't need to do this in the future, but the cloudsample is just that,
as sample policy file, and it needs to be edited to be correct.

** Changed in: keystone
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1790428

Title:
  Keystone policy.json not matching domain_id

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5

  I created a rule in the Keystone policy.json that should match a
  custom role (domain_admin) and match the domain_id.  I tried 4
  variations, only the last variation worked, which has the domain_id
  hard-coded:

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(target.token.user.domain.id)s",

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(target.token.user.domain_id)s",

  #    "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:%(domain_id)s",

      "domain_admin_and_matching_domain_id": "role:domain_admin and
  domain_id:e93d848b2a274cb588676e029ae53348",

  The goal was to use this rule for the project creation permission like this:
  "identity:create_project": "rule:cloud_admin or rule:domain_admin_and_matching_domain_id",

  However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274cb588676e029ae53348):
  Forbidden: You are not authorized to perform the requested action: identity:create_project. (HTTP 403)

  until I hard-coded the domain_id in the policy.json file, which led me
  to believe that the syntax for the variable-driven
  "domain_admin_and_matching_domain_id" rules is incorrect or something
  else is wrong.

  The user has the appropriate role assignment (note that this is a test
  system, not production, so names and UUIDs can be publicly listed in
  this ticket):

  openstack role assignment list --domain e93d848b2a274cb588676e029ae53348
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | Role                             | User                             | Group | Project | Domain                           | Inherited |
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+
  | 13cf2d56ff594a56a9897787ab07cff5 | ad6038fe42564ba2b8278ceae52f2964 |       |         | e93d848b2a274cb588676e029ae53348 | False     |
  +----------------------------------+----------------------------------+-------+---------+----------------------------------+-----------+

  The respective UUIDs are listed here (filtered by hand to only include
  this role):

  openstack role list
  +----------------------------------+-------------------------------+
  | ID                               | Name                          |
  +----------------------------------+-------------------------------+
  | 13cf2d56ff594a56a9897787ab07cff5 | domain_admin                  |
  +----------------------------------+-------------------------------+

  openstack user list
  +----------------------------------+-------------------+
  | ID                               | Name              |
  +----------------------------------+-------------------+
  | ad6038fe42564ba2b8278ceae52f2964 | TestDomainAdmin   |
  +----------------------------------+-------------------+

  openstack domain list
  +----------------------------------+------------------+---------+--------------------+
  | ID                               | Name             | Enabled | Description        |
  +----------------------------------+------------------+---------+--------------------+
  | e93d848b2a274cb588676e029ae53348 | TestDomain       | True    |                    |
  +----------------------------------+------------------+---------+--------------------+

  Am I missing something obvious in the policy.json file?

  Thanks!

  Eric

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1790428/+subscriptions
References

[Bug 1790428] [NEW] Keystone policy.json not matching domain_id
From: Eric Miller, 2018-09-03