Hi,
I was trying to fine tune some keystone policy rules. Basically I want to
grant "create_project" action to user in "ops" role. And following are my
steps.
1. Adding a new user "usr1"
2. Creating new role "ops"
3. Granting this user a "ops" role in "service" tenant
4. Adding new lines to keystone policy file
"ops_required": [["role:ops"]],
"admin_or_ops": [["rule:admin_required"], ["rule:ops_required"]],
5. Change
"identity:create_project": [["rule:admin_required"]],
to
"identity:create_project": [["rule:admin_or_ops"]],
6. Restart keystone service
keystone tenant-create with credential of user "usr1" still returns 403
Forbidden error.
“You are not authorized to perform the requested action, admin_required.
(HTTP 403)”
After some quick scan, it seems that create_project function has a
hard-coded assert_admin call[1], which does not respect settings in the
policy file.
Any ideas why? Is it a bug to fix? Thanks!
BTW, I'm running keystone havana release with V2 API.
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/controllers.py#L105
Thanks,
--
Qiu Yu
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
