Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

BTW, I noticed that I forgot to modify policy.json. It resolved issue 6, but considering I can't get openstack client workable and use curl for now, domain_id is not passed to a policy rule checker, so when I invoke curl -si -X POST -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"domain": {"name": "dom1"}, "name": "dom1project"}}, "identity": {"password": {"user": {"domain": {"name": "dom1"}, "password": "qwerty", "name": "dom1user"}}, "methods": ["password"]}}}' http://127.0.0.1:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' and then curl -X GET -H "X-Auth-Token:1855a8f034d54c74ac49a63640b40506" http://10.0.2.15:5000/v3/users/b4f24ca4a35642a6a375ab1a02dda0c5

Domain is not part of credentials. Print message from the rules: Credentials: {'project_id': u'd9ec684e2f37472cb84638b76b907e90', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'roles': [u'admin']} Rule identity:get_user () Target: {'target.user.enabled': True, 'target.user.domain_id': u'8efa82050cf64c6580cb7d4bee7e3f4f', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'target.user.name': u'dom1user', 'target.user.id': u'b4f24ca4a35642a6a375ab1a02dda0c5'} Rule is "identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],