[keystone][ops]Keystone enforced policy issues - Victoria

Luke Camilleri luke.camilleri at zylacomputing.com
Mon Mar 15 23:02:45 UTC 2021

A new mail has been sent referencing horizon instead of victoria in the 
subject line. Consider this email solved

On 12/03/2021 12:30, Luke Camilleri wrote:
> Updated subject with tags
> On 11/03/2021 22:39, Luke Camilleri wrote:
>> Hi there, we have been troubleshooting keystone policies for a couple 
>> of days now (Victoria) and would like to reach out to anyone with 
>> some experience on the keystone policies. Basically we would like to 
>> follow the standard admin, member and reader roles together with the 
>> scopes function and have therefore enabled the below two option in 
>> keystone.conf
>> enforce_scope = true
>> enforce_new_defaults = true
>> once enabled we started seeing the below error related to token 
>> validation in keystone.log:
>> 2021-03-11 19:50:12.009 1047463 WARNING 
>> keystone.server.flask.application 
>> [req-33cda154-1d54-447e-8563-0676dc5d8471 
>> 020bd854741e4ba69c87d4142cad97a5 c584121f9d1a4334a3853c61bb5b9d93 - 
>> default default] You are not authorized to perform the requested 
>> action: identity:validate_token.: keystone.exception.ForbiddenAction: 
>> You are not authorized to perform the requested action: 
>> identity:validate_token.
>> The policy was previously setup as:
>> identity:validate_token: rule:service_admin_or_token_subject
>> but has now been implemented with the new scope format to:
>> identity:validate_token: (role:reader and system_scope:all) or 
>> rule:service_role or rule:token_subject
>> If we change the policy to the old one, we stop receiving the 
>> identity:validate_token exception. This only happens in horizon and 
>> running the same commands in the CLI (python-openstack-client) does 
>> not output any errors. To work around this behavior we place the old 
>> policy for validate_token rule in 
>> /usr/share/openstack-dashboard/openstack_dashboard/conf/keystone_policy.yaml 
>> and in the file /etc/keystone/keystone.conf
>> A second way how we can solve the validate_token exception is to 
>> disable the option which has been enabled above "enforce_new_defaults 
>> = true" which will obviously allow the deprecated policy rules to 
>> become effective and hence has the same behavior as implementing the 
>> old policy as we did
>> We would like to know if anyone have had this behavior and how it has 
>> been solved maybe someone can point us in the right direction to 
>> identify better what is going on.
>> Last but not least, it seems that from Horizon, the admin user is 
>> being assigned a project scoped token instead of a system scoped 
>> token, while from the CLI the same admin user can successfully issue 
>> a system:all token and run commands across all resources. We would be 
>> very happy to receive any form of input related to the above issues 
>> we are facing
>> Thanks in advance for any assistance

More information about the openstack-discuss mailing list