Comment 6 for bug 1651989

Revision history for this message
Frode Nordahl (fnordahl) wrote :

Using Mitaka Keystone with the v3 sample policy after commit of change https://review.openstack.org/411563 reverts the desired effects of https://review.openstack.org/#/c/242232/ and https://blueprints.launchpad.net/keystone/+spec/is-admin-project

A simple check is to attempt to list domains with a token scoped to the project and domain referenced by admin_project_name and admin_project_domain_name in /etc/keystone.conf and comparing results with a policy-file before and after the change.

The admin_domain_id place-holder is of course replaced with the actual uuid of the domain used in the test.

Before the change:
(keystone.common.controller): 2017-02-01 10:43:29,828 DEBUG RBAC: Adding query filter params ()
(keystone.common.controller): 2017-02-01 10:43:29,828 DEBUG RBAC: Authorizing identity:list_domains()
(keystone.common.controller): 2017-02-01 10:43:29,828 DEBUG RBAC: using auth context from the request environment
(keystone.policy.backends.rules): 2017-02-01 10:43:29,829 DEBUG enforce identity:list_domains: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'47e2b6a7df204ebfb9e7245e97c2f345', 'roles': [u'Admin', u'Member'], 'user_domain_id': u'fe4e322a8a6942f1a8fe7de8167f0a6f', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=slIt9et9SWefByiRQV4Grw, audit_chain_id=slIt9et9SWefByiRQV4Grw) at 0x7fae3a9f1be0>, 'project_id': u'10f4dfe3abea45d4be6ee11a57934f89', 'trust_id': None, 'project_domain_id': u'fe4e322a8a6942f1a8fe7de8167f0a6f'}
(keystone.common.controller): 2017-02-01 10:43:29,830 DEBUG RBAC: Authorization granted

After the change:
(keystone.common.controller): 2017-02-01 10:45:26,059 DEBUG RBAC: Adding query filter params ()
(keystone.common.controller): 2017-02-01 10:45:26,060 DEBUG RBAC: Authorizing identity:list_domains()
(keystone.common.controller): 2017-02-01 10:45:26,060 DEBUG RBAC: using auth context from the request environment
(keystone.policy.backends.rules): 2017-02-01 10:45:26,060 DEBUG enforce identity:list_domains: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'47e2b6a7df204ebfb9e7245e97c2f345', 'roles': [u'Admin', u'Member'], 'user_domain_id': u'fe4e322a8a6942f1a8fe7de8167f0a6f', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=Yo3-eosNTHqmjTfDGa9Hpw, audit_chain_id=Yo3-eosNTHqmjTfDGa9Hpw) at 0x7fb75cbaa3c8>, 'project_id': u'10f4dfe3abea45d4be6ee11a57934f89', 'trust_id': None, 'project_domain_id': u'fe4e322a8a6942f1a8fe7de8167f0a6f'}
(oslo_policy._cache_handler): 2017-02-01 10:45:26,061 DEBUG Reloading cached file /etc/keystone/policy.json
(oslo_policy.policy): 2017-02-01 10:45:26,070 DEBUG Reloaded policy file: /etc/keystone/policy.json
(keystone.common.wsgi): 2017-02-01 10:45:26,071 WARNING You are not authorized to perform the requested action: identity:list_domains

I believe this is a regression and the change is either incomplete or in error.