Openstack keystone identity endpoint policy extension
Hello, I've a stand-alone liberty version of Keystone installed on ubuntu 14.04. I've been trying to understand how endpoint policy extension is designed to work.
Here is what I did...
- Running keystone using $keystone-all
- There is already a default policy.json file at /etc/keystone location
Created a new policy (this command created an entry in mysql db's table 'policy')
$openstack policy create ~/policyrules/mypolicy.json
here is the content for mypolicy.json
{
"identity:check_policy_association_for_endpoint": ""
}
Associated above policy with an endpoint using 'CURL' and OS-ENDPOINT-POLICY extension. This created an entry in mysql's policy_association table with policy_id and endpoint_id mapped
curl -s -X PUT -H "X-Auth-Token:c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/policies/66cdadcc1cda4b768668b1013227e8a3/OS-ENDPOINT-POLICY/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5 (http://localhost:35357/v3/policies/66...)
As per the policy in above step below curl command should list policies for "any user"
So, when I fired below curl command with non-admin user
curl -s -H "Content-Type: application/json" -H "X-Auth-Token: c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5/OS-ENDPOINT-POLICY/policy (http://localhost:35357/v3/endpoints/2...)
I keep getting error code 403 Forbidden.
'am I missing something? My guess is that Keystone is not verifying the blob part of 'policy' table! I am stuck with this...
My understanding is that Keystone first checks for policy associated to the endpoint, pickup blob from policy table and then override default /etc/keystone/policy.json file's rule before taking Access/Deny decision...