[rdo-list] Understanding Policy.Json, for domain authorization

Adam Young ayoung at redhat.com
Tue Nov 1 21:54:54 UTC 2016


On 11/01/2016 05:17 PM, Taisto Qvist wrote:
> Hi folks,
>
> I've run into a wall with making openstack domain auth working, and I 
> dont know where to get help, so I am trying here. I've created a 
> question on:
>
> https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/
>
> ..but no-one seems to be able to help.
>
> Since I wrote that, I've gotten as far as creating a working 
> cloud-wide admin(the policy trigger for cloud_admin matching against 
> domain_id, didnt seem to work for the default domain...?), and that 
> user is now working fine as super-mega-admin.
Can you post what your cloud_admin rule looks like?


>
> But my old admin user, that has admin rights only in the default 
> domain, admin project, cant list users, or projects, in the default 
> domain.

admin_and_matching_domain_id:  But his domain must not be matching: If 
he has a domain scoped token for another domain, it will not be valid 
for the default.

>
> And sureley he should be able to, with the rules:
>
>     "admin_and_matching_domain_id": "rule:admin_required and 
> domain_id:%(domain_id)s",
>     "identity:list_users": "rule:cloud_admin or 
> rule:admin_and_matching_domain_id",
>
> I've tried to find comprehensive and up2date references on how to read 
> the policy.json syntax, but no success so I am unsure on how to 
> interpret the rule exactly though.
> I tried changing to:
>
>     "admin_and_matching_domain_id": "rule:admin_required and 
> domain_id:%(/target/.domain_id)s",

Have you been using the CLI to test your changes? It might greatly 
simplify things.  I'd also recommend using pdb and actually stepping 
through the code executed:  you can learn a lot this way.

>
> after looking at the rule for:
>
>     "identity:get_project": "rule:cloud_admin or 
> rule:admin_and_matching_target_project_domain_id or 
> project_id:%(target.project.id <http://target.project.id>)s",

Again, in this rule, you have explicit matching.  The token either needs 
to match the domain ID or the project ID.

>
> But it didnt help. During the failure, I can see keystone logging:
>
> 2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi 
> [req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User 
> admin_Prj                        - default default] GET 
> http://172.16.12.100:35357/v3/projects/admin_Prj
>
> (where admin_Prj/User is the UUID's regexped)
>
> What is wrong? Where can I learn how to do this???
>
>
> _______________________________________________
> rdo-list mailing list
> rdo-list at redhat.com
> https://www.redhat.com/mailman/listinfo/rdo-list
>
> To unsubscribe: rdo-list-unsubscribe at redhat.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rdoproject.org/pipermail/dev/attachments/20161101/49892829/attachment.html>


More information about the dev mailing list