[openstack-dev] [keystone] Does the policy.json for trusts works?

Adrian Turjak adriant at catalyst.net.nz
Wed Sep 13 15:54:38 UTC 2017

Hello Keystone devs!

I've been playing with some policy changes and realised that the trust
policy rules were mostly blank. Which, based on how the policy logic
works means that any authed user can list trusts:

But... in practive that doesn't appear to be the case, only admin can
list/create/etc trusts. Which is good since it doesn't really make sense
for any authed user to see all trusts (or does it?). What it does raise
is, does the policy actually work for trusts, or is an admin requirement
policy hardcoded somewhere for them?

Now I've played with the keystone policy, setting an admin only policy
blank, lets say project list, does let any authed user to use that API.
So from that we know that a blank policy has that logic. The 'default'
rule only comes into play when a rule isn't present. Such as me setting
a policy as "rule:rule_that_doesnt_exist" which would invoke the default
rule, so we know that is happening here either.

So... back to how I got here. The policy for trusts doesn't appear to
work as written. They are blank (and they probably shouldn't be), and
based on that policy, they should be visible to all authed users. Even
if I do put an explicit rule in them, they don't seem to take effect.
Can someone else confirm I'm not going mad? Or that potentially I'm
missing the point entirely (which for my sanity is also welcome :P).

I even checked if it was maybe extension specific, but the consumer
policy for the oauth extension does appear to work. If I blank it, any
authed user can list consumers.

If I'm not mad, we should probably work out why this doesn't work, but
before we fix it, we should also add a better default rule since we
probably don't want all authed users seeing ALL trusts.


More information about the OpenStack-dev mailing list