[KEYSTONE][POLICIES] - Overrides that don't work?

Ben Nemec openstack at nemebean.com
Mon Oct 11 15:25:29 UTC 2021

I don't believe it's possible to override the scope of a policy rule. In 
this case it sounds like the user should request a domain-scoped token 
to perform this operation. For details on who to do that, see 

On 10/6/21 7:52 AM, Gaël THEROND wrote:
> Hi team,
> I'm having a weird behavior with my Openstack platform that makes me 
> think I may have misunderstood some mechanisms on the way policies are 
> working and especially the overriding.
> So, long story short, I've few services that get custom policies such as 
> glance that behave as expected, Keystone's one aren't.
> All in all, here is what I'm understanding of the mechanism:
> This is the keystone policy that I'm looking to override:
> https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/ 
> <https://paste.openstack.org/show/bwuF6jFISscRllWdUURL/>
> This policy default can be found in here:
> https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197 
> <https://opendev.org/openstack/keystone/src/branch/master/keystone/common/policies/group.py#L197>
> Here is the policy that I'm testing:
> https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/ 
> <https://paste.openstack.org/show/bHQ0PXvOro4lXNTlxlie/>
> I know, this policy isn't taking care of the admin role but it's not the 
> point.
>  From my understanding, any user with the project-manager role should be 
> able to add any available user on any available group as long as the 
> project-manager domain is the same as the target.
> However, when I'm doing that, keystone complains that I'm not authorized 
> to do so because the user token scope is 'PROJECT' where it should be 
> Now, I wouldn't be surprised of that message being thrown out with the 
> default policy as it's stated on the code with the following:
> https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197 
> <https://opendev.org/openstack/keystone/src/branch/stable/ussuri/keystone/common/policies/group.py#L197>
> So the question is, if the custom policy doesn't override the default 
> scope_types how am I supposed to make it work?
> I hope it was clear enough, but if not, feel free to ask me for more 
> information.
> PS: I've tried to assign this role with a domain scope to my user and 
> I've still the same issue.
> Thanks a lot everyone!

More information about the openstack-discuss mailing list