<div dir="ltr">All right, I'll test that out a bit more using a native Keystone user type as for now I'm dealing with ADFS/SSO based users that can't use CLI because ECP isn't available and so rely on Application Credentials that are project scoped ^^</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le mar. 12 oct. 2021 à 18:18, Ben Nemec <<a href="mailto:openstack@nemebean.com">openstack@nemebean.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Probably. I'm not an expert on writing Keystone policies so I can't <br>
promise anything. :-)<br>
<br>
However, I'm fairly confident that if you get a properly scoped token it <br>
will get you past your current error. Anything beyond that would be a <br>
barely educated guess on my part.<br>
<br>
On 10/11/21 12:18 PM, Gaël THEROND wrote:<br>
> Hi ben! Thanks a lot for the answer!<br>
> <br>
> Ok I’ll get a look at that, but if I correctly understand a user with a <br>
> role of project-admin attached to him as a scoped to domain he should be <br>
> able to add users to a group once the policy update right?<br>
> <br>
> Once again thanks a lot for your answer!<br>
> <br>
> Le lun. 11 oct. 2021 à 17:25, Ben Nemec <<a href="mailto:openstack@nemebean.com" target="_blank">openstack@nemebean.com</a> <br>
> <mailto:<a href="mailto:openstack@nemebean.com" target="_blank">openstack@nemebean.com</a>>> a écrit :<br>
> <br>
> I don't believe it's possible to override the scope of a policy<br>
> rule. In<br>
> this case it sounds like the user should request a domain-scoped token<br>
> to perform this operation. For details on who to do that, see<br>
> <a href="https://docs.openstack.org/keystone/wallaby/admin/tokens-overview.html#authorization-scopes" rel="noreferrer" target="_blank">https://docs.openstack.org/keystone/wallaby/admin/tokens-overview.html#authorization-scopes</a><br>
> <<a href="https://docs.openstack.org/keystone/wallaby/admin/tokens-overview.html#authorization-scopes" rel="noreferrer" target="_blank">https://docs.openstack.org/keystone/wallaby/admin/tokens-overview.html#authorization-scopes</a>><br>
> <br>
> On 10/6/21 7:52 AM, Gaël THEROND wrote:<br>
> > Hi team,<br>
> ><br>
> > I'm having a weird behavior with my Openstack platform that makes me<br>
> > think I may have misunderstood some mechanisms on the way<br>
> policies are<br>
> > working and especially the overriding.<br>
> ><br>
> > So, long story short, I've few services that get custom policies<br>
> such as<br>
> > glance that behave as expected, Keystone's one aren't.<br>
> ><br>
> > All in all, here is what I'm understanding of the mechanism:<br>
> ><br>
> > This is the keystone policy that I'm looking to override:<br>
> > <a href="https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/</a><br>
> <<a href="https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/</a>><br>
> > <<a href="https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/</a><br>
> <<a href="https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/</a>>><br>
> ><br>
> > This policy default can be found in here:<br>
> ><br>
> <a href="https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197</a><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197</a>><br>
> <br>
> ><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197</a><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197</a>>><br>
> ><br>
> > Here is the policy that I'm testing:<br>
> > <a href="https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/</a><br>
> <<a href="https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/</a>><br>
> > <<a href="https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/</a><br>
> <<a href="https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/" rel="noreferrer" target="_blank">https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/</a>>><br>
> ><br>
> > I know, this policy isn't taking care of the admin role but it's<br>
> not the<br>
> > point.<br>
> ><br>
> > From my understanding, any user with the project-manager role<br>
> should be<br>
> > able to add any available user on any available group as long as the<br>
> > project-manager domain is the same as the target.<br>
> ><br>
> > However, when I'm doing that, keystone complains that I'm not<br>
> authorized<br>
> > to do so because the user token scope is 'PROJECT' where it<br>
> should be<br>
> > 'SYSTEM' or 'DOMAIN'.<br>
> ><br>
> > Now, I wouldn't be surprised of that message being thrown out<br>
> with the<br>
> > default policy as it's stated on the code with the following:<br>
> ><br>
> <a href="https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197</a><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197</a>><br>
> <br>
> ><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197</a><br>
> <<a href="https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197" rel="noreferrer" target="_blank">https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197</a>>><br>
> ><br>
> > So the question is, if the custom policy doesn't override the<br>
> default<br>
> > scope_types how am I supposed to make it work?<br>
> ><br>
> > I hope it was clear enough, but if not, feel free to ask me for more<br>
> > information.<br>
> ><br>
> > PS: I've tried to assign this role with a domain scope to my user<br>
> and<br>
> > I've still the same issue.<br>
> ><br>
> > Thanks a lot everyone!<br>
> ><br>
> ><br>
> <br>
</blockquote></div>