Keystone policy.json not matching domain_id
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Environment: Queens installed using Kolla Ansible 6.1.0 on CentOS 7.5
I created a rule in the Keystone policy.json that should match a custom role (domain_admin) and match the domain_id. I tried 4 variations, only the last variation worked, which has the domain_id hard-coded:
# "domain_
# "domain_
# "domain_
"domain_
The goal was to use this rule for the project creation permission like this:
"identity:
However, I always got an error when creating a project with a test user who belongs to the domain_admin role and the respective domain (e93d848b2a274c
Forbidden: You are not authorized to perform the requested action: identity:
until I hard-coded the domain_id in the policy.json file, which led me to believe that the syntax for the variable-driven "domain_
The user has the appropriate role assignment (note that this is a test system, not production, so names and UUIDs can be publicly listed in this ticket):
openstack role assignment list --domain e93d848b2a274cb
+------
| Role | User | Group | Project | Domain | Inherited |
+------
| 13cf2d56ff594a5
+------
The respective UUIDs are listed here (filtered by hand to only include this role):
openstack role list
+------
| ID | Name |
+------
| 13cf2d56ff594a5
+------
openstack user list
+------
| ID | Name |
+------
| ad6038fe42564ba
+------
openstack domain list
+------
| ID | Name | Enabled | Description |
+------
| e93d848b2a274cb
+------
Am I missing something obvious in the policy.json file?
Thanks!
Eric
I should have mentioned the command that I'm running to attempt to create a project using this account: 588676e029ae533 48 TestProject
openstack --debug project create --domain e93d848b2a274cb
which results in: create_ project. (HTTP 403)
Forbidden: You are not authorized to perform the requested action: identity:
Changing the policy.json file so it uses this hard-coded domain permission: admin_and_ matching_ domain_ id": "role:domain_admin and domain_ id:e93d848b2a27 4cb588676e029ae 53348",
"domain_
results in the proper execution:
+------ ------- +------ ------- ------- ------- ------- + ------- +------ ------- ------- ------- ------- + 588676e029ae533 48 | e8a204721a39ab1 98 | 588676e029ae533 48 | ------- +------ ------- ------- ------- ------- +
| Field | Value |
+------
| description | |
| domain_id | e93d848b2a274cb
| enabled | True |
| id | 1b0cf36732fd4de
| is_domain | False |
| name | TestProject |
| parent_id | e93d848b2a274cb
| tags | [] |
+------