[rdo-list] Understanding Policy.Json, for domain authorization

[Taisto Qvist]

Hi folks,

I've run into a wall with making openstack domain auth working, and I dont
know where to get help, so I am trying here. I've created a question on:

https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/

..but no-one seems to be able to help.

Since I wrote that, I've gotten as far as creating a working cloud-wide
admin(the policy trigger for cloud_admin matching against domain_id, didnt
seem to work for the default domain...?), and that user is now working fine
as super-mega-admin.

But my old admin user, that has admin rights only in the default domain,
admin project, cant list users, or projects, in the default domain.

And sureley he should be able to, with the rules:

    "admin_and_matching_domain_id": "rule:admin_required and
domain_id:%(domain_id)s",
    "identity:list_users": "rule:cloud_admin or
rule:admin_and_matching_domain_id",

I've tried to find comprehensive and up2date references on how to read the
policy.json syntax, but no success so I am unsure on how to interpret the
rule exactly though.
I tried changing to:

    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(
*target*.domain_id)s",

after looking at the rule for:

    "identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id or project_id:%(
target.project.id)s",

But it didnt help. During the failure, I can see keystone logging:

2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi
[req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User
admin_Prj                        - default default] GET
http://172.16.12.100:35357/v3/projects/admin_Prj

(where admin_Prj/User is the UUID's regexped)

What is wrong? Where can I learn how to do this???
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rdo-list/attachments/20161101/91810285/attachment.htm>