<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello</p>
    <p><br>
    </p>
    <p>I think this old link is explaining the reason behind this
      "inconsistency" with the policy.json rules:<br>
    </p>
    <p><a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/keystone/+bug/1373599">https://bugs.launchpad.net/keystone/+bug/1373599</a><br>
    </p>
    <p>So to summarize, the RBAC is allowing identity:list_trusts for a
      non admin user (cf. policy.json) but then hard coded policies deny
      the request if non admin.<br>
    </p>
    <p>Quote:</p>
    <p>The policies in policy.json can make these operations more
      restricted, but not less restricted than the hard-coded
      restrictions. We can't simply remove these settings from
      policy.json, as that would cause the "default" rule to be used
      which makes trusts unusable in the case of the default "default"
      rule of "admin_required". </p>
    <p><br>
    </p>
    <p>Cheers</p>
    <p>Francois<br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 9/9/19 1:57 PM, Francois Scheurer
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:bd332d5a-358c-3f88-8763-9dae896d8019@everyware.ch">
      <p>Hi All</p>
      <p><br>
      </p>
      <p>I found an answer here</p>
      <p><a class="moz-txt-link-freetext"
          href="https://bugs.launchpad.net/keystone/+bug/1373599">https://bugs.launchpad.net/keystone/+bug/1373599</a></p>
      <p><br>
      </p>
    </blockquote>
    <div class="moz-cite-prefix">On 9/6/19 5:59 PM, Francois Scheurer
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:29841c08-d255-2ee4-346a-bcce04b7f4ad@everyware.ch">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <pre>Dear Keystone Experts,</pre>
      <pre>I have an issue with the openstack client in stage (using Rocky), using a user 'fsc' without 'admin' role and with password auth.</pre>
      <pre>'openstack trust create/show' works.</pre>
      <pre>'openstack trust list' is denied.</pre>
      <pre>But keystone policy.json says:
</pre>
      <pre>    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",
    "identity:get_trust": "",
</pre>
      <pre>So "openstack list trusts" is always allowed.</pre>
      <pre>In keystone log (I replaced the uid's by names in the ouput below) I see that 'identity:list_trusts()' was actually granted
but just after that a <u><b>admin_required()</b></u> is getting checked and fails... I wonder why...
</pre>
      <pre>There is also a flag<b> is_admin_project=True</b> in the rbac creds for some reason...

Any clue? Many thanks in advance!


Cheers
Francois


</pre>
      <pre>#openstack --os-cloud stage-fsc trust create --project fscproject --role creator fsc fsc
#=> fail because of the names and policy rules, but using uid's it works
openstack --os-cloud stage-fsc trust create --project aeac4b07d8b144178c43c65f29fa9dac --role 085180eeaf354426b01908cca8e82792 3e9b1a4fe95048a3b98fb5abebd44f6c 3e9b1a4fe95048a3b98fb5abebd44f6c
+--------------------+----------------------------------+
| Field              | Value                            |
+--------------------+----------------------------------+
| deleted_at         | None                             |
| expires_at         | None                             |
| id                 | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation      | False                            |
| project_id         | fscproject |
| redelegation_count | 0                                |
| remaining_uses     | None                             |
| roles              | creator                          |
| trustee_user_id    | fsc |
| trustor_user_id    | fsc |
+--------------------+----------------------------------+

openstack --os-cloud stage-fsc trust show e74bcdf125e049c69c2e0ab1b182df5b
+--------------------+----------------------------------+
| Field              | Value                            |
+--------------------+----------------------------------+
| deleted_at         | None                             |
| expires_at         | None                             |
| id                 | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation      | False                            |
| project_id         | fscproject |
| redelegation_count | 0                                |
| remaining_uses     | None                             |
| roles              | creator                          |
| trustee_user_id    | fsc |
| trustor_user_id    | fsc |
+--------------------+----------------------------------+

#this fails:
openstack --os-cloud stage-fsc trust list
<b>You are not authorized to perform the requested action: admin_required. (HTTP 403)</b>







 </pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch">http://www.everyware.ch</a> </pre>
  </body>
</html>