[openstack-dev] Kilo v3 identity problems

Steve Martinelli stevemar at ca.ibm.com
Wed Jun 3 19:20:27 UTC 2015

Dolph Mathews <dolph.mathews at gmail.com> wrote on 06/03/2015 02:16:55 PM:

> From: Dolph Mathews <dolph.mathews at gmail.com>
> To: "OpenStack Development Mailing List (not for usage questions)" 
> <openstack-dev at lists.openstack.org>
> Date: 06/03/2015 02:17 PM
> Subject: Re: [openstack-dev] Kilo v3 identity problems
> I assume that by "v3 policy file" you're specifically referring to:
>   https://github.com/openstack/keystone/blob/
> f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json
> Which essentially illustrates enforcement of a much more powerful 
> authorization model than most deployers are familiar with today. 
> You'll need to create and consume a domain-based role assignment, 
> for example (do you have a role assigned to your user on the 
> "default" domain? Are you accessing "openstack domain list" with a 
> domain-scoped token?).
> Unless you're ready to experiment with that new policy model, the 
> default policy file is also designed for v3 and it's behavior is 
> probably what you're expecting:
>   https://github.com/openstack/keystone/blob/
> f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json
> Perhaps "policy.v3cloudsample.json" is poorly named if it implies 
> that it's somehow a pre-requisite to getting started with the v3 API?

++ I think so, I've had to field many questions and comments about folks 
using this file when they
really just need the "usual" one.

Steve Martinelli
OpenStack Keystone Core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/0f085d9d/attachment.html>

More information about the OpenStack-dev mailing list