[openstack-dev] [Keystone]: Help needed with RBAC policies

Boris Bobrov bbobrov at mirantis.com
Tue Jul 19 20:10:50 UTC 2016 

Also, you might need to change OS_AUTH_URL to /v3/ or to unversioned.

Policy works only with v3 api. In v2 you are either admin or user, and 
there are no policies or roles.

On 07/19/2016 10:08 PM, Boris Bobrov wrote:
> Hi,
>
> Try passing --os-identity-api-version=3 to `openstack`. Or set env
> variable OS_IDENTITY_API_VERSION=3.
>
> On 07/19/2016 09:56 PM, Nasim, Kam wrote:
>> Hi  folks,
>>
>> I have been trying to modify the default RBAC policies in
>> keystone/policy.json however my policy changes don't seem to be enforced.
>>
>> As a quick test, I modified the identity:list_users policy to:
>>
>> "identity:list_users": "role:kam",
>>
>> There is no role called "kam" defined in my deployment so I would have
>> expected this operation to fail.
>>
>> However:
>>
>> $ openstack --debug user list
>>
>> +----------------------------------+------------+
>> | ID                               | Name       |
>> +----------------------------------+------------+
>> | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin      |
>> | 4b76763e375946998445b65b11c8db73 | ceilometer |
>> | 15c8e1e463cc4370ad369eaf8504b727 | cinder     |
>> | 951068b3372f47ac827ade8f67cc19b4 | glance     |
>> | 2b62ced877244e74ba90b546225740d0 | heat       |
>> | 438a24497bc8448d9ac63bf05a005796 | kam        |
>> | 0b7af941da9b4896959f9258c6b498a0 | kam2       |
>> | d1c4f7a244f74892b612b9b2ded6d602 | neutron    |
>> | 5c3ea23eb8e14070bc562951bb266073 | sysinv     |
>> +----------------------------------+------------+
>>
>> $ cat myrc
>> unset OS_SERVICE_TOKEN
>> export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
>> export OS_ENDPOINT_TYPE=publicURL
>> export CINDER_ENDPOINT_TYPE=publicURL
>>
>> export OS_USERNAME=admin
>> export OS_PASSWORD=admin
>> export PS1='[\u@\h \W(keystone_admin)]\$ '
>>
>> export OS_TENANT_NAME=admin
>> export OS_REGION_NAME=RegionOne
>>
>>
>> After getting the auth token, the client uses the adminURL endpoint to
>> get the user list:
>> curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H
>> "User-Agent: python-keystoneclient" -H "Accept: application/json" -H
>> "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
>>
>>
>> Is there something I am missing here? Some specific configuration to
>> enable RBAC? Do admin URL ops bypass RBAC
>>
>>
>> Thanks,
>> Kam
>>
>>
>>
>>
>> __________________________________________________________________________
>>
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>

More information about the OpenStack-dev mailing list