Openstack keystone identity endpoint policy extension

asked 2016-03-08 18:05:27 -0600

anonymous user


Hello, I've a stand-alone liberty version of Keystone installed on ubuntu 14.04. I've been trying to understand how endpoint policy extension is designed to work.

Here is what I did...

  • Running keystone using $keystone-all
  • There is already a default policy.json file at /etc/keystone location
  • Created a new policy (this command created an entry in mysql db's table 'policy')

    $openstack policy create ~/policyrules/mypolicy.json

here is the content for mypolicy.json

   "identity:check_policy_association_for_endpoint": ""
  • Associated above policy with an endpoint using 'CURL' and OS-ENDPOINT-POLICY extension. This created an entry in mysql's policy_association table with policy_id and endpoint_id mapped

    curl -s -X PUT -H "X-Auth-Token:c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/policies/66cdadcc1cda4b768668b1013227e8a3/OS-ENDPOINT-POLICY/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5 (http://localhost:35357/v3/policies/66...)

  • As per the policy in above step below curl command should list policies for "any user"

  • So, when I fired below curl command with non-admin user

    curl -s -H "Content-Type: application/json" -H "X-Auth-Token: c57bf6b97f1041c68954d59ec80b4fe3" http://localhost:35357/v3/endpoints/2fbb8d23ccf74a1e86e491fd6151bcc5/OS-ENDPOINT-POLICY/policy (http://localhost:35357/v3/endpoints/2...)

I keep getting error code 403 Forbidden.

'am I missing something? My guess is that Keystone is not verifying the blob part of 'policy' table! I am stuck with this...

edit retag flag offensive close merge delete


My understanding is that Keystone first checks for policy associated to the endpoint, pickup blob from policy table and then override default /etc/keystone/policy.json file's rule before taking Access/Deny decision...

Karun gravatar imageKarun ( 2016-03-08 19:17:15 -0600 )edit