Bug 1125333 - Keystone V2 API does not use the policy.json for RBAC
Summary: Keystone V2 API does not use the policy.json for RBAC
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 4.0
Hardware: All
OS: All
high
high
Target Milestone: z5
: 4.0
Assignee: Nathan Kinder
QA Contact: Udi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-31 15:15 UTC by John Trowbridge
Modified: 2018-12-06 17:33 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-05 12:52:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 111088 None None None Never
Launchpad 1350879 None None None Never

Description John Trowbridge 2014-07-31 15:15:09 UTC
Description of problem:

The V2 API in keystone does not use the /etc/keystone/policy.json file to determine access to the get_endpoints method.

Version-Release number of selected component (if applicable):
This is true upstream as well.

How reproducible:
Easy to reproduce.

Steps to Reproduce:
On a packstack allinone:
1. modify /etc/keystone/policy.json and add the following rule:

    "member": [["role:_member_"], ["role:Member"]],

2. change the identity:get_endpoints rule to use this:

    "identity:get_endpoints": [["rule:member"]],

3. restart the keystone service
4. try to list the endpoints as a non-admin user

Actual results:

[root@01166114 ~(keystone_demo)]# keystone endpoint-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)


Expected results:

List the endpoints.


Additional info:

Filed upstream bug with proposed patch with help from Adam Young.
https://bugs.launchpad.net/keystone/+bug/1350879


Note You need to log in before you can comment on or make changes to this bug.