This appears to be an issue in cinder where they expect the context_is_admin to be a role. In our case, we changed this to user_id and it no longer works. Here's the flow. When a request comes in, cinder sets up your request context here: /cinder/context.py:73 In terms of roles (as a concept), cinder basically breaks you down into an admin role, or not an admin role. check_is_admin tries to figure out whether you're an admin or not... by checking the list of roles on your user. Nothing else. It doesn't pass your entire token along or anything. See: /cinder/policy.py:84 So the problem is that we changed our policy to try to verify the cloud_admin by his user_id. But the user_id isn't something that's passed in to the check_is_admin method. Only your roles. On the surface, it appears cinder handles the same situation differently than nova: cinder/context.py ... if self.is_admin is None: self.is_admin = policy.check_is_admin(self.roles) elif self.is_admin and 'admin' not in self.roles: self.roles.append('admin') ... cinder/policy.py ... def check_is_admin(roles): """Whether or not roles contains 'admin' role according to policy setting. """ init() # include project_id on target to avoid KeyError if context_is_admin # policy definition is missing, and default admin_or_owner rule # attempts to apply. Since our credentials dict does not include a # project_id, this target can never match as a generic rule. target = {'project_id': ''} credentials = {'roles': roles} return _ENFORCER.enforce('context_is_admin', target, credentials) nova/context.py ... if self.is_admin is None: self.is_admin = policy.check_is_admin(self) ... nova/policy.py ... def check_is_admin(context): """Whether or not roles contains 'admin' role according to policy setting. """ init() # the target is user-self credentials = context.to_dict() target = credentials return _ENFORCER.enforce('context_is_admin', target, credentials)
customer believes this is related to this bz: https://bugzilla.redhat.com/show_bug.cgi?id=1254770
Just spoke with Jack, he's going to reproduce this setup and we'll use that to test a solution.
(In reply to Jon Bernard from comment #4) > Just spoke with Jack, he's going to reproduce this setup and we'll use that > to test a solution. Jon, any update on this one? Sean
I haven't heard anything yet, but I know folks have been very busy lately.
I am closing that BZ because customer closed the case.