[keystone] Need clarification about Stein policies
Ben Nemec
openstack at nemebean.com
Thu Jul 25 16:46:53 UTC 2019
On 7/25/19 1:18 AM, Bernd Bausch wrote:
> The Keystone policy.json file I created with oslo-policy-generator
> contains lines I don't understand. For example /list_users/. The comment
> says:
>
> # DEPRECATED "identity:list_users":"rule:admin_required" has been
> # deprecated since S in favor of "identity:list_users":"(role:reader
> # and system_scope:all) or (role:reader and
> # domain_id:%(target.domain_id)s)".
>
> I do understand the expression starting with (role:reader .... , but
> contrarily to the comment, the policy is
>
> "identity:list_users": "rule:identity:list_users"
>
> This looks like a circular definition, and in any case, nowhere do I
> seerule:identity:list_users defined.
>
> Can someone in the know explain how this policy is processed?
You're right, this is a circular definition and a bug in the policy
generator. This behavior was intended to address [0], but when the
deprecated rule name matches the current rule name it creates this
nonsense policy. Since the bug doesn't apply in this case, we can just
drop the unnecessary alias. Lance pushed a fix in [1] that should make
this work sanely again.
Thanks for bringing this to our attention.
0: https://bugs.launchpad.net/oslo.policy/+bug/1742569
1: https://review.opendev.org/#/c/672781/
>
> Thanks much,
>
> Bernd
>
More information about the openstack-discuss
mailing list