openstack team mailing list archive

Thread
Date

Re: [Keystone] Policy settings not working correctly

To: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
From: Brant Knudson <blk@xxxxxxx>
Date: Fri, 7 Jun 2013 08:28:13 -0500
In-reply-to: <51B194A5.6080209@honeybutcher.de>
Sender: brantknudson@xxxxxxxxx

Heiko --

Guang's response provides the hint that could get you where you want to go
-- try using the V3 Identity API rather than the V2 admin API. The V2 admin
API essentially ignores policy and only allows admin role. Here's docs on
the V3 API:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md.
The openstack client may provide a CLI for the commands you want to
run.

-- Brant



On Fri, Jun 7, 2013 at 3:07 AM, Heiko Krämer <info@xxxxxxxxxxxxxxx> wrote:

>  Hi Guang,
>
> thx for your hint but that's not the reason because in your example all
> users with the KeystoneAdmin role have the same rights as the admin and
> thats useless.
>
> @Adam so i've no chance to get the policy management working ? I can't say
> the KeystoneAdmin role is only allowed to create and delete users and
> nothing more ?
> I saw instead of the file a mysql base policy management but thers no cli
> commands available right ?
>
>
> Thx and Greetings
> Heiko
>
>
> On 07.06.2013 07:59, Yee, Guang wrote:
>
>  I think keystone client is still V2 by default, which is enforcing
> admin_required. ****
>
> ** **
>
> Try this****
>
> ** **
>
> "admin_required": [["role:KeystoneAdmin"], ["role:admin"], ["is_admin:1"]],
> ****
>
> ** **
>
> ** **
>
> Guang****
>
> ** **
>
> ** **
>
> *From:* Openstack [
> mailto:openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx<openstack-bounces+guang.yee=hp.com@xxxxxxxxxxxxxxxxxxx>]
> *On Behalf Of *Adam Young
> *Sent:* Thursday, June 06, 2013 7:28 PM
> *To:* Heiko Krämer; openstack
> *Subject:* Re: [Openstack] [Keystone] Policy settings not working
> correctly****
>
> ** **
>
> What is the actualy question here?  Is it "why is this failing" or "why
> was it done that way?"
>
>
> On 06/04/2013 07:47 AM, Heiko Krämer wrote:****
>
> Heyho guys :)
>
> I've a little problem with policy settings in keystone. I've create a new
> rule in my policy-file and restarts keystone but keystone i don't have
> privileges. ****
>
>
> What is the rule?
>
> ****
>
>
> Example:
>
>
> keystone user-create --name kadmin --pw lala
> keystone user-role-add --
>
> keystone role-list --user kadmin --role KeystoneAdmin --tenant admin
>
> +----------------------------------+----------------------+
> |                id                |         name         |
> +----------------------------------+----------------------+
> | 3f5c0af585db46aeaec49da28900de28 |    KeystoneAdmin     |
> | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |
>
>
> cat /etc/keystone/policy.json
>
> {
>     "admin_required": [["role:admin"], ["is_admin:1"]],
>     "owner" : [["user_id:%(user_id)s"]],
>     "admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
>     "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]],
>
>     "default": [["rule:admin_required"]],
> [.....]
>     "identity:list_users": [["rule:admin_or_kadmin"]],
> [....]
>
> <loading kadmin creds>
>
> keystone user-list
> Unable to communicate with identity service: {"error": {"message": "You
> are not authorized to perform the requested action: admin_required",
> "code": 403, "title": "Not Authorized"}}. (HTTP 403)
>
>
> In log file i see:
> DEBUG [keystone.policy.backends.rules] enforce admin_required:
> {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
> u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}
>
>
>
>
> Why does keystone enforce *admin_required* rule instead of the defined
> rule (*admin_or_kadmin*).****
>
>
> Historical reasons.  We are trying to clean this up.
>
>
> ****
>
>
>
>
> Keystone conf:
> [...]
>
> # Path to your policy definition containing identity actions
> policy_file = policy.json
> [..]
> [policy]
> driver = keystone.policy.backends.rules.Policy
>
>
>
>
> Any have an idea ?
>
> Thx and greetings
> Heiko
>
>
>
>
> ****
>
> _______________________________________________****
>
> Mailing list: https://launchpad.net/~openstack****
>
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx****
>
> Unsubscribe : https://launchpad.net/~openstack****
>
> More help   : https://help.launchpad.net/ListHelp****
>
> ** **
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References

[Keystone] Policy settings not working correctly
From: Heiko Krämer, 2013-06-04
Re: [Keystone] Policy settings not working correctly
From: Adam Young, 2013-06-07
Re: [Keystone] Policy settings not working correctly
From: Yee, Guang, 2013-06-07
Re: [Keystone] Policy settings not working correctly
From: Heiko Krämer, 2013-06-07