Bug 1125333 - Keystone V2 API does not use the policy.json for RBAC
Summary: Keystone V2 API does not use the policy.json for RBAC
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: All
OS: All
Target Milestone: z5
: 4.0
Assignee: Nathan Kinder
QA Contact: Udi Kalifon
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-31 15:15 UTC by John Trowbridge
Modified: 2018-12-06 17:33 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-09-05 12:52:59 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1350879 0 None None None Never
OpenStack gerrit 111088 0 None None None Never

Description John Trowbridge 2014-07-31 15:15:09 UTC
Description of problem:

The V2 API in keystone does not use the /etc/keystone/policy.json file to determine access to the get_endpoints method.

Version-Release number of selected component (if applicable):
This is true upstream as well.

How reproducible:
Easy to reproduce.

Steps to Reproduce:
On a packstack allinone:
1. modify /etc/keystone/policy.json and add the following rule:

    "member": [["role:_member_"], ["role:Member"]],

2. change the identity:get_endpoints rule to use this:

    "identity:get_endpoints": [["rule:member"]],

3. restart the keystone service
4. try to list the endpoints as a non-admin user

Actual results:

[root@01166114 ~(keystone_demo)]# keystone endpoint-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)

Expected results:

List the endpoints.

Additional info:

Filed upstream bug with proposed patch with help from Adam Young.

Note You need to log in before you can comment on or make changes to this bug.