On 7/25/19 1:18 AM, Bernd Bausch wrote:
The Keystone policy.json file I created with oslo-policy-generator contains lines I don't understand. For example /list_users/. The comment says:
# DEPRECATED "identity:list_users":"rule:admin_required" has been # deprecated since S in favor of "identity:list_users":"(role:reader # and system_scope:all) or (role:reader and # domain_id:%(target.domain_id)s)".
I do understand the expression starting with (role:reader .... , but contrarily to the comment, the policy is
"identity:list_users": "rule:identity:list_users"
This looks like a circular definition, and in any case, nowhere do I seerule:identity:list_users defined.
Can someone in the know explain how this policy is processed?
You're right, this is a circular definition and a bug in the policy generator. This behavior was intended to address [0], but when the deprecated rule name matches the current rule name it creates this nonsense policy. Since the bug doesn't apply in this case, we can just drop the unnecessary alias. Lance pushed a fix in [1] that should make this work sanely again.
Thanks for bringing this to our attention.
0: https://bugs.launchpad.net/oslo.policy/+bug/1742569 1: https://review.opendev.org/#/c/672781/
Thanks much,
Bernd