Hello, I've a stand-alone liberty version of Keystone installed on ubuntu 14.04. I've been trying to understand how endpoint policy extension is designed to work.

Here is what I did...

• Running keystone using $keystone-all
• There is already a default policy.json file at /etc/keystone location

• Created a new policy (this command created an entry in mysql db's table 'policy')

  $openstack policy create ~/policyrules/mypolicy.json

here is the content for mypolicy.json

{
   "identity:check_policy_association_for_endpoint": ""
}

• Associated above policy with an endpoint using 'CURL' and OS-ENDPOINT-POLICY extension. This created an entry in mysql's policy_association table with policy_id and endpoint_id mapped

  curl -s -X PUT -H "X-Auth-Token:c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/policies/66cdadcc1cda4b768668b1013227e8a3/OS-ENDPOINT-POLICY/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5 (http://localhost:35357/v3/policies/66...)

• As per the policy in above step below curl command should list policies for "any user"

• So, when I fired below curl command with non-admin user

  curl -s -H "Content-Type: application/json" -H "X-Auth-Token: c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5/OS-ENDPOINT-POLICY/policy (http://localhost:35357/v3/endpoints/2...)

I keep getting error code 403 Forbidden.

'am I missing something? My guess is that Keystone is not verifying the blob part of 'policy' table! I am stuck with this...