I think keystone client is still V2 by default, which is enforcing admin_required.
Try this "admin_required": [["role:KeystoneAdmin"], ["role:admin"], ["is_admin:1"]], Guang From: Openstack [mailto:openstack-bounces+guang.yee=hp....@lists.launchpad.net] On Behalf Of Adam Young Sent: Thursday, June 06, 2013 7:28 PM To: Heiko Krämer; openstack Subject: Re: [Openstack] [Keystone] Policy settings not working correctly What is the actualy question here? Is it "why is this failing" or "why was it done that way?" On 06/04/2013 07:47 AM, Heiko Krämer wrote: Heyho guys :) I've a little problem with policy settings in keystone. I've create a new rule in my policy-file and restarts keystone but keystone i don't have privileges. What is the rule? Example: keystone user-create --name kadmin --pw lala keystone user-role-add -- keystone role-list --user kadmin --role KeystoneAdmin --tenant admin +----------------------------------+----------------------+ | id | name | +----------------------------------+----------------------+ | 3f5c0af585db46aeaec49da28900de28 | KeystoneAdmin | | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin | cat /etc/keystone/policy.json { "admin_required": [["role:admin"], ["is_admin:1"]], "owner" : [["user_id:%(user_id)s"]], "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]], "default": [["rule:admin_required"]], [.....] "identity:list_users": [["rule:admin_or_kadmin"]], [....] <loading kadmin creds> keystone user-list Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403) In log file i see: DEBUG [keystone.policy.backends.rules] enforce admin_required: {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id': u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']} Why does keystone enforce admin_required rule instead of the defined rule (admin_or_kadmin). Historical reasons. We are trying to clean this up. Keystone conf: [...] # Path to your policy definition containing identity actions policy_file = policy.json [..] [policy] driver = keystone.policy.backends.rules.Policy Any have an idea ? Thx and greetings Heiko _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
