Keystone policy.v3cloudsample.json doesn't allow proper resources management

Bug #1267187 reported by Florent Flament on 2014-01-08
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
Florent Flament

Bug Description

When using the current `̀ etc/policy.v3cloudsample.json`` file as
Keystone's ``/etc/keystone/policy.json`` file (with `̀
admin_domain_id`` properly configured), the following issues arise:

* The cloud_admin user cannot manage users in other domains that the `̀
  cloud`` domain. For instance, once the cloud_admin created a brand
  new domain, he cannot create a user in this domain.

* The cloud_admin cannot manage roles on other domains that the `̀
  cloud`̀ domain. For instance, if the cloud_admin managed to create a
  domain and a user in this new domain, he cannot grant the `admin`
  role on the domain to this new user.

* A domain administrator (user with the ``admin`` role on the domain)
  cannot manage roles on projects in its own domain. For instance, a
  domain administrator can create a project and a user in his domain,
  but he cannot grant the Member role on the project to the new user.

With the following additional rules, one would have an operational
Identity v3 API enabled setting:

* The cloud_admin should be allowed to manage users in any domain.

* The cloud_admin should be allowed to manage roles on any domain.

* Domain administrators should be allowed to manage roles on any
  project in their own domain.

Changed in keystone:
assignee: nobody → Florent Flament (florent-flament-ext)

Fix proposed to branch: master
Review: https://review.openstack.org/65510

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph) on 2014-01-22
Changed in keystone:
importance: Undecided → Low

Reviewed: https://review.openstack.org/65510
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0496466821c1ff6e7d4209233b6c671f88aadc50
Submitter: Jenkins
Branch: master

commit 0496466821c1ff6e7d4209233b6c671f88aadc50
Author: Florent Flament <email address hidden>
Date: Wed Jan 8 18:36:51 2014 +0100

    Policy sample - Identity v3 resources management

    Adds the following rules to ``etc/policy.v3cloudsample.json``,
    providing an operational Identity v3 API enabled setting:

    * The cloud_admin can manage users in any domain.

    * The cloud_admin can manage roles on any domain.

    * Domain administrators can manage roles on any project in their own
      domain.

    Change-Id: Id6ea8f469d5d05c04042c1395c4eae85b982bb25
    Closes-Bug: #1267187

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-03-05
Changed in keystone:
milestone: none → icehouse-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-04-17
Changed in keystone:
milestone: icehouse-3 → 2014.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers