[KEYSTONE][POLICIES] - Overrides that don't work?

Ben Nemec openstack at nemebean.com
Mon Oct 11 15:25:29 UTC 2021


I don't believe it's possible to override the scope of a policy rule. In 
this case it sounds like the user should request a domain-scoped token 
to perform this operation. For details on who to do that, see 
https://docs.openstack.org/keystone/wallaby/admin/tokens-overview.html#authorization-scopes

On 10/6/21 7:52 AM, Gaël THEROND wrote:
> Hi team,
> 
> I'm having a weird behavior with my Openstack platform that makes me 
> think I may have misunderstood some mechanisms on the way policies are 
> working and especially the overriding.
> 
> So, long story short, I've few services that get custom policies such as 
> glance that behave as expected, Keystone's one aren't.
> 
> All in all, here is what I'm understanding of the mechanism:
> 
> This is the keystone policy that I'm looking to override:
> https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/ 
> <https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/>
> 
> This policy default can be found in here:
> https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197 
> <https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197>
> 
> Here is the policy that I'm testing:
> https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/ 
> <https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/>
> 
> I know, this policy isn't taking care of the admin role but it's not the 
> point.
> 
>  From my understanding, any user with the project-manager role should be 
> able to add any available user on any available group as long as the 
> project-manager domain is the same as the target.
> 
> However, when I'm doing that, keystone complains that I'm not authorized 
> to do so because the user token scope is 'PROJECT' where it should be 
> 'SYSTEM' or 'DOMAIN'.
> 
> Now, I wouldn't be surprised of that message being thrown out with the 
> default policy as it's stated on the code with the following:
> https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197 
> <https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197>
> 
> So the question is, if the custom policy doesn't override the default 
> scope_types how am I supposed to make it work?
> 
> I hope it was clear enough, but if not, feel free to ask me for more 
> information.
> 
> PS: I've tried to assign this role with a domain scope to my user and 
> I've still the same issue.
> 
> Thanks a lot everyone!
> 
> 



More information about the openstack-discuss mailing list