[keystone] Need clarification about Stein policies

Bernd Bausch berndbausch at gmail.com
Thu Jul 25 06:18:27 UTC 2019

The Keystone policy.json file I created with oslo-policy-generator 
contains lines I don't understand. For example /list_users/. The comment 

# DEPRECATED "identity:list_users":"rule:admin_required" has been
# deprecated since S in favor of "identity:list_users":"(role:reader
# and system_scope:all) or (role:reader and
# domain_id:%(target.domain_id)s)".

I do understand the expression starting with (role:reader .... , but 
contrarily to the comment, the policy is

"identity:list_users": "rule:identity:list_users"

This looks like a circular definition, and in any case, nowhere do I 
seerule:identity:list_users defined.

Can someone in the know explain how this policy is processed?

Thanks much,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190725/310795ab/attachment.html>

More information about the openstack-discuss mailing list