<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Heyho guys :)<br>
<br>
I've a little problem with policy settings in keystone. I've create
a new rule in my policy-file and restarts keystone but keystone i
don't have privileges. <br>
<br>
Example:<br>
<br>
<br>
keystone user-create --name kadmin --pw lala <br>
keystone user-role-add --<br>
<br>
keystone role-list --user kadmin --role KeystoneAdmin --tenant admin<br>
<br>
+----------------------------------+----------------------+<br>
| id | name |<br>
+----------------------------------+----------------------+<br>
| 3f5c0af585db46aeaec49da28900de28 | KeystoneAdmin |<br>
| dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |<br>
<br>
<br>
cat /etc/keystone/policy.json<br>
<br>
{<br>
"admin_required": [["role:admin"], ["is_admin:1"]],<br>
"owner" : [["user_id:%(user_id)s"]],<br>
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],<br>
"admin_or_kadmin": [["rule:admin_required"],
["role:KeystoneAdmin"]],<br>
<br>
"default": [["rule:admin_required"]],<br>
[.....]<br>
"identity:list_users": [["rule:admin_or_kadmin"]],<br>
[....]<br>
<br>
<loading kadmin creds><br>
<br>
keystone user-list<br>
Unable to communicate with identity service: {"error": {"message":
"You are not authorized to perform the requested action:
admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP
403)<br>
<br>
<br>
In log file i see:<br>
DEBUG [keystone.policy.backends.rules] enforce admin_required:
{'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}<br>
<br>
<br>
<br>
<br>
Why does keystone enforce <i>admin_required</i> rule instead of the
defined rule (<i>admin_or_kadmin</i>).<br>
<br>
<br>
<br>
Keystone conf:<br>
[...]<br>
<br>
# Path to your policy definition containing identity actions<br>
policy_file = policy.json<br>
[..]<br>
[policy]<br>
driver = keystone.policy.backends.rules.Policy<br>
<br>
<br>
<br>
<br>
Any have an idea ?<br>
<br>
Thx and greetings<br>
Heiko<br>
<br>
</body>
</html>