Comment 3 for bug 1437407

Guang Yee (guang-yee) wrote :

Don't think it'll work by just tweaking policy.json. The way our authorization model works, we are essentially doing policy checks prior to backend actions.

https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L777
https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L195

In this case, we are matching the incoming credential against the query filter. In other words, the target object hasn't been retrieved yet.

Because Oslo policy engine can only do plain attribute matches. It does not know anything about objects and their relationships. In other words, to use oslo policy the way it is implemented right now, the consumer (in this case, the API code) would have to interpret the object relations for the target object and flatten them into meta data (key-value pairs) before feeding them to the enforce method.

Otherwise, we would have to change the Oslo policy to take object relationship into consideration. Or we would have to pass the filters to the backend and then filter the result on the way out.