Hi, I was trying to fine tune some keystone policy rules. Basically I want to grant "create_project" action to user in "ops" role. And following are my steps.
1. Adding a new user "usr1" 2. Creating new role "ops" 3. Granting this user a "ops" role in "service" tenant 4. Adding new lines to keystone policy file "ops_required": [["role:ops"]], "admin_or_ops": [["rule:admin_required"], ["rule:ops_required"]], 5. Change "identity:create_project": [["rule:admin_required"]], to "identity:create_project": [["rule:admin_or_ops"]], 6. Restart keystone service keystone tenant-create with credential of user "usr1" still returns 403 Forbidden error. “You are not authorized to perform the requested action, admin_required. (HTTP 403)” After some quick scan, it seems that create_project function has a hard-coded assert_admin call[1], which does not respect settings in the policy file. Any ideas why? Is it a bug to fix? Thanks! BTW, I'm running keystone havana release with V2 API. [1] https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L105 Thanks, -- Qiu Yu
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev