[openstack-dev] [Keystone]: Help needed with RBAC policies

Nasim, Kam Kam.Nasim at windriver.com
Tue Jul 19 18:56:11 UTC 2016


Hi  folks,

I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced.

As a quick test, I modified the identity:list_users policy to:

"identity:list_users": "role:kam",

There is no role called "kam" defined in my deployment so I would have expected this operation to fail.

However:

$ openstack --debug user list

+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin      |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder     |
| 951068b3372f47ac827ade8f67cc19b4 | glance     |
| 2b62ced877244e74ba90b546225740d0 | heat       |
| 438a24497bc8448d9ac63bf05a005796 | kam        |
| 0b7af941da9b4896959f9258c6b498a0 | kam2       |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron    |
| 5c3ea23eb8e14070bc562951bb266073 | sysinv     |
+----------------------------------+------------+

$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL

export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '

export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne


After getting the auth token, the client uses the adminURL endpoint to get the user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"


Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC


Thanks,
Kam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160719/022b09ee/attachment-0001.html>


More information about the OpenStack-dev mailing list