[keystone] Need clarification about Stein policies

Ben Nemec openstack at nemebean.com
Thu Jul 25 16:46:53 UTC 2019

On 7/25/19 1:18 AM, Bernd Bausch wrote:
> The Keystone policy.json file I created with oslo-policy-generator 
> contains lines I don't understand. For example /list_users/. The comment 
> says:
> # DEPRECATED "identity:list_users":"rule:admin_required" has been
> # deprecated since S in favor of "identity:list_users":"(role:reader
> # and system_scope:all) or (role:reader and
> # domain_id:%(target.domain_id)s)".
> I do understand the expression starting with (role:reader .... , but 
> contrarily to the comment, the policy is
> "identity:list_users": "rule:identity:list_users"
> This looks like a circular definition, and in any case, nowhere do I 
> seerule:identity:list_users defined.
> Can someone in the know explain how this policy is processed?

You're right, this is a circular definition and a bug in the policy 
generator. This behavior was intended to address [0], but when the 
deprecated rule name matches the current rule name it creates this 
nonsense policy. Since the bug doesn't apply in this case, we can just 
drop the unnecessary alias. Lance pushed a fix in [1] that should make 
this work sanely again.

Thanks for bringing this to our attention.

0: https://bugs.launchpad.net/oslo.policy/+bug/1742569
1: https://review.opendev.org/#/c/672781/

> Thanks much,
> Bernd

More information about the openstack-discuss mailing list