[KEYSTONE][POLICIES] - Overrides that don't work?

Gaël THEROND gael.therond at bitswalk.com
Wed Oct 6 12:52:53 UTC 2021

Hi team,

I'm having a weird behavior with my Openstack platform that makes me think
I may have misunderstood some mechanisms on the way policies are working
and especially the overriding.

So, long story short, I've few services that get custom policies such as
glance that behave as expected, Keystone's one aren't.

All in all, here is what I'm understanding of the mechanism:

This is the keystone policy that I'm looking to override:

This policy default can be found in here:

Here is the policy that I'm testing:

I know, this policy isn't taking care of the admin role but it's not the

>From my understanding, any user with the project-manager role should be
able to add any available user on any available group as long as the
project-manager domain is the same as the target.

However, when I'm doing that, keystone complains that I'm not authorized to
do so because the user token scope is 'PROJECT' where it should be 'SYSTEM'
or 'DOMAIN'.

Now, I wouldn't be surprised of that message being thrown out with the
default policy as it's stated on the code with the following:

So the question is, if the custom policy doesn't override the default
scope_types how am I supposed to make it work?

I hope it was clear enough, but if not, feel free to ask me for more

PS: I've tried to assign this role with a domain scope to my user and I've
still the same issue.

Thanks a lot everyone!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211006/779d8079/attachment.htm>

More information about the openstack-discuss mailing list