openstack team mailing list archive

["Yee, Guang" <guang.yee@xxxxxx>]

I think keystone client is still V2 by default, which is enforcing
admin_required. 

 

Try this

 

"admin_required": [["role:KeystoneAdmin"], ["role:admin"], ["is_admin:1"]],

 

 

Guang

 

 

From: Openstack
[mailto:openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of
Adam Young
Sent: Thursday, June 06, 2013 7:28 PM
To: Heiko Krämer; openstack
Subject: Re: [Openstack] [Keystone] Policy settings not working correctly

 

What is the actualy question here?  Is it "why is this failing" or "why was
it done that way?"


On 06/04/2013 07:47 AM, Heiko Krämer wrote:

Heyho guys :)

I've a little problem with policy settings in keystone. I've create a new
rule in my policy-file and restarts keystone but keystone i don't have
privileges. 


What is the rule?




Example:


keystone user-create --name kadmin --pw lala 
keystone user-role-add --

keystone role-list --user kadmin --role KeystoneAdmin --tenant admin

+----------------------------------+----------------------+
|                id                |         name         |
+----------------------------------+----------------------+
| 3f5c0af585db46aeaec49da28900de28 |    KeystoneAdmin     |
| dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |


cat /etc/keystone/policy.json

{
    "admin_required": [["role:admin"], ["is_admin:1"]],
    "owner" : [["user_id:%(user_id)s"]],
    "admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
    "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]],

    "default": [["rule:admin_required"]],
[.....]
    "identity:list_users": [["rule:admin_or_kadmin"]],
[....]

<loading kadmin creds>

keystone user-list
Unable to communicate with identity service: {"error": {"message": "You are
not authorized to perform the requested action: admin_required", "code":
403, "title": "Not Authorized"}}. (HTTP 403)


In log file i see:
DEBUG [keystone.policy.backends.rules] enforce admin_required: {'tenant_id':
u'b33bf3927d4e449a98cec4a883148110', 'user_id':
u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}




Why does keystone enforce admin_required rule instead of the defined rule
(admin_or_kadmin).


Historical reasons.  We are trying to clean this up.  







Keystone conf:
[...]

# Path to your policy definition containing identity actions
policy_file = policy.json
[..]
[policy]
driver = keystone.policy.backends.rules.Policy




Any have an idea ?

Thx and greetings
Heiko






_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Attachment: smime.p7s
Description: S/MIME cryptographic signature