yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

@Ben, this is nothing to do with oslo-policy. it has to do with the
values passed to oslo-policy in the creds dict. If the creds dict does
not have domain-id populated in it, you can't enforce on it.

** Changed in: oslo.policy
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699060

Title:
  Impossible to define policy rule based on domain ID

Status in Glance:
  New
Status in OpenStack Heat:
  Triaged
Status in Manila:
  Opinion
Status in neutron:
  Opinion
Status in OpenStack Compute (nova):
  Opinion
Status in oslo.policy:
  Invalid
Status in watcher:
  Opinion

Bug description:
  We have common approach to set rules for each API using policy.json file.
  And for the moment, it is not possible to use "domain_id" in policy rules,
  only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more.
  The only service that supports rules with "domain_id" is Keystone itself.

  As a result we should be able to use following rules:
  "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s",
  "domain_owner": "domain_id:%(domain_id)s",

  like this:

  "volume:get": "rule:domain_owner",

  or

  "volume:get": "rule:admin_or_domain_owner",

  Right now, we always get 403 error having such rules.

  Related mail-list thread: https://openstack.nimeyo.com/115438
  /openstack-dev-all-policy-rules-for-apis-based-on-domain_id

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions