[openstack-dev] [Keystone] policy has no effect because of hard coded assert_admin?
Qiu Yu
unicell at gmail.com
Thu Dec 12 07:41:20 UTC 2013
Hi,
I was trying to fine tune some keystone policy rules. Basically I want to
grant "create_project" action to user in "ops" role. And following are my
steps.
1. Adding a new user "usr1"
2. Creating new role "ops"
3. Granting this user a "ops" role in "service" tenant
4. Adding new lines to keystone policy file
"ops_required": [["role:ops"]],
"admin_or_ops": [["rule:admin_required"], ["rule:ops_required"]],
5. Change
"identity:create_project": [["rule:admin_required"]],
to
"identity:create_project": [["rule:admin_or_ops"]],
6. Restart keystone service
keystone tenant-create with credential of user "usr1" still returns 403
Forbidden error.
“You are not authorized to perform the requested action, admin_required.
(HTTP 403)”
After some quick scan, it seems that create_project function has a
hard-coded assert_admin call[1], which does not respect settings in the
policy file.
Any ideas why? Is it a bug to fix? Thanks!
BTW, I'm running keystone havana release with V2 API.
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L105
Thanks,
--
Qiu Yu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131212/449279ca/attachment.html>
More information about the OpenStack-dev
mailing list