Open Stack

On Thu, Dec 5, 2013 at 9:43 PM, Paul Belanger
<paul.belanger at polybeacon.com> wrote:
> Greetings list,
>
> I wanted to see if anybody was using the policy.v3cloudsample.json[1]
> file from Keystone? I'm having some troubles getting it working
> properly and get the following error back:
>
>    Unauthorized: You are not authorized to perform the requested
> action, identity:list_users. (HTTP 403)
>
> From keystone.log I see the following errors:
>
> 2013-12-06 02:38:44.080 19783 ERROR keystone.openstack.common.policy
> [-] Failed to understand rule admin_on_domain_filter
> 2013-12-06 02:38:44.080 19783 TRACE keystone.openstack.common.policy
> Traceback (most recent call last):
> 2013-12-06 02:38:44.080 19783 TRACE keystone.openstack.common.policy
> File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/policy.py",
> line 475, in _parse_check
> 2013-12-06 02:38:44.080 19783 TRACE keystone.openstack.common.policy
>   kind, match = rule.split(':', 1)
> 2013-12-06 02:38:44.080 19783 TRACE keystone.openstack.common.policy
> ValueError: need more than 1 value to unpack
> 2013-12-06 02:38:44.080 19783 TRACE keystone.openstack.common.policy
> 2013-12-06 02:38:44.081 19783 ERROR keystone.openstack.common.policy
> [-] Failed to understand rule admin_on_project_filter
> 2013-12-06 02:38:44.081 19783 TRACE keystone.openstack.common.policy
> Traceback (most recent call last):
> 2013-12-06 02:38:44.081 19783 TRACE keystone.openstack.common.policy
> File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/policy.py",
> line 475, in _parse_check
> 2013-12-06 02:38:44.081 19783 TRACE keystone.openstack.common.policy
>   kind, match = rule.split(':', 1)
> 2013-12-06 02:38:44.081 19783 TRACE keystone.openstack.common.policy
> ValueError: need more than 1 value to unpack
> 2013-12-06 02:38:44.081 19783 TRACE keystone.openstack.common.policy
> 2013-12-06 02:38:44.084 19783 ERROR keystone.openstack.common.policy
> [-] Failed to understand rule admin_on_domain_filter
> 2013-12-06 02:38:44.084 19783 TRACE keystone.openstack.common.policy
> Traceback (most recent call last):
> 2013-12-06 02:38:44.084 19783 TRACE keystone.openstack.common.policy
> File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/policy.py",
> line 475, in _parse_check
> 2013-12-06 02:38:44.084 19783 TRACE keystone.openstack.common.policy
>   kind, match = rule.split(':', 1)
> 2013-12-06 02:38:44.084 19783 TRACE keystone.openstack.common.policy
> ValueError: need more than 1 value to unpack
> 2013-12-06 02:38:44.084 19783 TRACE keystone.openstack.common.policy
> 2013-12-06 02:38:44.085 19783 ERROR keystone.openstack.common.policy
> [-] Failed to understand rule admin_on_project_filter
> 2013-12-06 02:38:44.085 19783 TRACE keystone.openstack.common.policy
> Traceback (most recent call last):
> 2013-12-06 02:38:44.085 19783 TRACE keystone.openstack.common.policy
> File "/usr/lib/python2.7/dist-packages/keystone/openstack/common/policy.py",
> line 475, in _parse_check
> 2013-12-06 02:38:44.085 19783 TRACE keystone.openstack.common.policy
>   kind, match = rule.split(':', 1)
> 2013-12-06 02:38:44.085 19783 TRACE keystone.openstack.common.policy
> ValueError: need more than 1 value to unpack
> 2013-12-06 02:38:44.085 19783 TRACE keystone.openstack.common.policy
>
> Any suggestions or reading material I could read?
>
> [1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
>
So a mere 5 days later I've finally made some process. I think I must
be the first people to use it, since there was zero action on google
about it.

So, right now I have both a cloud_admin (global) and domain_admin
working. I have a few patches up on review.o.o to get merged but I
figure a blog posting might be a good idea.

That said, is anybody else running custom policy.json files or moslty
using stock?

-- 
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger