[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
@Ben, this is nothing to do with oslo-policy. it has to do with the values passed to oslo-policy in the creds dict. If the creds dict does not have domain-id populated in it, you can't enforce on it. ** Changed in: oslo.policy Status: Incomplete => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Glance: New Status in OpenStack Heat: Triaged Status in Manila: Opinion Status in neutron: Opinion Status in OpenStack Compute (nova): Opinion Status in oslo.policy: Invalid Status in watcher: Opinion Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
** Changed in: watcher Importance: Undecided => Wishlist ** Changed in: watcher Status: New => Opinion -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Glance: New Status in OpenStack Heat: Triaged Status in Manila: Opinion Status in neutron: Opinion Status in OpenStack Compute (nova): Opinion Status in oslo.policy: New Status in watcher: Opinion Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
I agree with Sean. It is worth tackled as a cross project topic. As an individual project, neutron triages this in the same way as nova does. ** Changed in: neutron Status: New => Opinion ** Changed in: neutron Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Glance: New Status in OpenStack Heat: Triaged Status in Manila: Opinion Status in neutron: Opinion Status in OpenStack Compute (nova): Opinion Status in oslo.policy: New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
Agree with above. If we want this, this needs to be a general policy change across projects, and not something each project needs to address. This is a new feature request (probably for oslo.policy) and not a bug. ** Also affects: oslo.policy Importance: Undecided Status: New ** No longer affects: cinder -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Glance: New Status in OpenStack Heat: Triaged Status in Manila: Opinion Status in neutron: New Status in OpenStack Compute (nova): Opinion Status in oslo.policy: New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
** Changed in: manila Importance: Undecided => Wishlist ** Changed in: manila Status: New => Opinion -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Cinder: New Status in Glance: New Status in OpenStack Heat: Triaged Status in Manila: Opinion Status in neutron: New Status in OpenStack Compute (nova): Opinion Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
Items like this for Nova would definitely need a spec, it's not a bug ** Changed in: nova Status: New => Opinion ** Changed in: nova Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in neutron: New Status in OpenStack Compute (nova): Opinion Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
Mass opening bugs definitely not going to solve this. Also it's not quite clear from the bug or mail — what the projects should/shouldn't do. Is it really an issue with oslo.policy? ** No longer affects: murano -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in neutron: New Status in OpenStack Compute (nova): New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. Related mail-list thread: https://openstack.nimeyo.com/115438 /openstack-dev-all-policy-rules-for-apis-based-on-domain_id To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
please don't create these openstack-wide bugs, it spams everyone. i've removed telemetry projects but feel free to apply patches to them (don't do it for ceilometer since it doesn't have an active api). ** No longer affects: aodh ** No longer affects: ceilometer ** No longer affects: panko -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in Murano: New Status in neutron: New Status in OpenStack Compute (nova): New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
** Also affects: aodh Importance: Undecided Status: New ** Also affects: panko Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Aodh: New Status in Ceilometer: New Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in Murano: New Status in neutron: New Status in OpenStack Compute (nova): New Status in Panko: New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. To manage notifications about this bug go to: https://bugs.launchpad.net/aodh/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
** Also affects: ceilometer Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Aodh: New Status in Ceilometer: New Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in Murano: New Status in neutron: New Status in OpenStack Compute (nova): New Status in Panko: New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. To manage notifications about this bug go to: https://bugs.launchpad.net/aodh/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1699060] Re: Impossible to define policy rule based on domain ID
** Also affects: watcher Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1699060 Title: Impossible to define policy rule based on domain ID Status in Cinder: New Status in Glance: New Status in heat: New Status in Manila: New Status in Murano: New Status in neutron: New Status in OpenStack Compute (nova): New Status in watcher: New Bug description: We have common approach to set rules for each API using policy.json file. And for the moment, it is not possible to use "domain_id" in policy rules, only "project_id" and "user_id". It becomes very important because Keystone API v3 is used more and more. The only service that supports rules with "domain_id" is Keystone itself. As a result we should be able to use following rules: "admin_or_domain_owner": "is_admin:True or domain_id:%(domain_id)s", "domain_owner": "domain_id:%(domain_id)s", like this: "volume:get": "rule:domain_owner", or "volume:get": "rule:admin_or_domain_owner", Right now, we always get 403 error having such rules. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1699060/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp