Comment 10 for bug 1437407

Chenhong Liu (liuchenhong) wrote :

I can reproduce this bug, and I dug the code.

Firstly, add policy rule like:
won't work, because assignment.controllers.RoleAssignmentV3.list_role_assignments is decorated by @flterprotected which only generate target dictionary only from API's query string. So there is not "target.project.domain_id" in the target dictionary passed to oslo.policy engine.

Secondly, based on current code, I found that the problem is that when oslo.policy engine process rule like "project_id:%(", it can not find any project id in the user's credential ( If a user authenticated via domain id, there is even not project id in the creds['token'])