Bug 1125333

Summary: Keystone V2 API does not use the policy.json for RBAC
Product: Red Hat OpenStack Reporter: John Trowbridge <jtrowbri>
Component: openstack-keystoneAssignee: Nathan Kinder <nkinder>
Status: CLOSED WONTFIX QA Contact: Udi <ukalifon>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: ayoung, dmaley, dsulliva, nkinder, sgordon, sputhenp, yeylon
Target Milestone: z5Keywords: ZStream
Target Release: 4.0   
Hardware: All   
OS: All   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-05 12:52:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John Trowbridge 2014-07-31 15:15:09 UTC
Description of problem:

The V2 API in keystone does not use the /etc/keystone/policy.json file to determine access to the get_endpoints method.

Version-Release number of selected component (if applicable):
This is true upstream as well.

How reproducible:
Easy to reproduce.

Steps to Reproduce:
On a packstack allinone:
1. modify /etc/keystone/policy.json and add the following rule:

    "member": [["role:_member_"], ["role:Member"]],

2. change the identity:get_endpoints rule to use this:

    "identity:get_endpoints": [["rule:member"]],

3. restart the keystone service
4. try to list the endpoints as a non-admin user

Actual results:

[root@01166114 ~(keystone_demo)]# keystone endpoint-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)

Expected results:

List the endpoints.

Additional info:

Filed upstream bug with proposed patch with help from Adam Young.