Hello.
We have an user 'user1' in the tenant 'tenant1' with the assigned role
'_member_'.
We want to be able to list services with this user. In the default
policy.json files we can find the following rules:
"admin_required": "role:admin or is_admin:1",
"identity:list_services": "rule:admin_required",
As expected 'keystone service-list' will fail with a HTTP error 403
('admin_required').
Now we change the rule "admin_required" to
"admin_required": "role:_member_ or role:admin or is_admin:1".
As expected 'keystone service-list' is now working. But we want to be
able to only list services, with this modification of the admin_required
rule it is possible to list e.g. roles, too.
We undo the change to admin_required and change identity:list_services to
"identity:list_services": "rule:admin_required or role:_member_",
'keystone service-list' will fail with an HTTP error 403 ('admin_required').
We change identity:list_services to
"identity:list_services": "role:_member_",
'keystone service-list' will fail with an HTTP error 403 ('admin_required').
We change identity:list_services to
"identity:list_services": "@",
'keystone service-list' will fail with an HTTP error 403 ('admin_required').
It looks like the modifications of identity:list_services are ignored.
Any idea what we are doing wrong?
Christian.
--
Christian Berendt
Cloud Solution Architect
Mail: bere...@b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
