[openstack-dev] [Keystone] policy has no effect because of hard coded assert_admin?

Qiu Yu unicell at gmail.com
Thu Dec 12 07:41:20 UTC 2013


I was trying to fine tune some keystone policy rules. Basically I want to
grant "create_project" action to user in "ops" role. And following are my

1. Adding a new user "usr1"
2. Creating new role "ops"
3. Granting this user a "ops" role in "service" tenant
4. Adding new lines to keystone policy file

        "ops_required": [["role:ops"]],
        "admin_or_ops": [["rule:admin_required"], ["rule:ops_required"]],

5. Change

        "identity:create_project": [["rule:admin_required"]],
        "identity:create_project": [["rule:admin_or_ops"]],

6. Restart keystone service

keystone tenant-create with credential of user "usr1" still returns 403
Forbidden error.
“You are not authorized to perform the requested action, admin_required.
(HTTP 403)”

After some quick scan, it seems that create_project function has a
hard-coded assert_admin call[1], which does not respect settings in the
policy file.

Any ideas why? Is it a bug to fix? Thanks!
BTW, I'm running keystone havana release with V2 API.


Qiu Yu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131212/449279ca/attachment.html>

More information about the OpenStack-dev mailing list