Open Stack

Hello.

We have an user 'user1' in the tenant 'tenant1' with the assigned role
'_member_'.

We want to be able to list services with this user. In the default
policy.json files we can find the following rules:

"admin_required": "role:admin or is_admin:1",
"identity:list_services": "rule:admin_required",

As expected 'keystone service-list' will fail with a HTTP error 403
('admin_required').

Now we change the rule "admin_required" to

"admin_required": "role:_member_ or role:admin or is_admin:1".

As expected 'keystone service-list' is now working. But we want to be
able to only list services, with this modification of the admin_required
rule it is possible to list e.g. roles, too.

We undo the change to admin_required and change identity:list_services to

"identity:list_services": "rule:admin_required or role:_member_",

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

We change identity:list_services to

"identity:list_services": "role:_member_",

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

We change identity:list_services to

"identity:list_services": "@",

'keystone service-list' will fail with an HTTP error 403 ('admin_required').

It looks like the modifications of identity:list_services are ignored.

Any idea what we are doing wrong?

Christian.

-- 
Christian Berendt
Cloud Solution Architect
Mail: berendt at b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537