Is there any reason that the user can¹t just run keystone catalog which does not require admin permissions?
On 1/26/15, 4:58 AM, "Christian Berendt" <[email protected]> wrote: >Hello. > >We have an user 'user1' in the tenant 'tenant1' with the assigned role >'_member_'. > >We want to be able to list services with this user. In the default >policy.json files we can find the following rules: > >"admin_required": "role:admin or is_admin:1", >"identity:list_services": "rule:admin_required", > >As expected 'keystone service-list' will fail with a HTTP error 403 >('admin_required'). > >Now we change the rule "admin_required" to > >"admin_required": "role:_member_ or role:admin or is_admin:1". > >As expected 'keystone service-list' is now working. But we want to be >able to only list services, with this modification of the admin_required >rule it is possible to list e.g. roles, too. > >We undo the change to admin_required and change identity:list_services to > >"identity:list_services": "rule:admin_required or role:_member_", > >'keystone service-list' will fail with an HTTP error 403 >('admin_required'). > >We change identity:list_services to > >"identity:list_services": "role:_member_", > >'keystone service-list' will fail with an HTTP error 403 >('admin_required'). > >We change identity:list_services to > >"identity:list_services": "@", > >'keystone service-list' will fail with an HTTP error 403 >('admin_required'). > >It looks like the modifications of identity:list_services are ignored. > >Any idea what we are doing wrong? > >Christian. > >-- >Christian Berendt >Cloud Solution Architect >Mail: [email protected] > >B1 Systems GmbH >Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de >GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537 > >_______________________________________________ >OpenStack-operators mailing list >[email protected] >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
