<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Hi Kam,</div>
<div><br>
</div>
<div>The first thing I’d do is ensure that you’re editing the correct “in use” policy file ( /etc/keystone/policy.json , if it’s a default devstack install ). Secondly, a good test would be to change the actual policy to “!” (deny all). If that still allows
anyone but the service token to do the operation, something beyond your specific edits is wrong.</div>
<div><br>
</div>
<div>The service token bypasses RBAC, but the admin accounts should not. Beyond editing the correct “in use” policy file, there should not be additional changes necessary to enable them.</div>
<div><br>
</div>
<div>Tim</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"Nasim, Kam" <<a href="mailto:Kam.Nasim@windriver.com">Kam.Nasim@windriver.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"OpenStack Development Mailing List (not for usage questions)" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, July 19, 2016 at 11:56 AM<br>
<span style="font-weight:bold">To: </span>"<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>[openstack-dev] [Keystone]: Help needed with RBAC policies<br>
</div>
<div><br>
</div>
<div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi folks,<br>
<br>
I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don’t seem to be enforced.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As a quick test, I modified the identity:list_users policy to:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">"identity:list_users": "role:kam",<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There is no role called “kam” defined in my deployment so I would have expected this operation to fail.<o:p></o:p></p>
<p class="MsoNormal"><br>
However:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">$ openstack --debug user list<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">+----------------------------------+------------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| ID | Name |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">+----------------------------------+------------+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 4b76763e375946998445b65b11c8db73 | ceilometer |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 15c8e1e463cc4370ad369eaf8504b727 | cinder |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 951068b3372f47ac827ade8f67cc19b4 | glance |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 2b62ced877244e74ba90b546225740d0 | heat |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 438a24497bc8448d9ac63bf05a005796 | kam |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 0b7af941da9b4896959f9258c6b498a0 | kam2 |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| d1c4f7a244f74892b612b9b2ded6d602 | neutron |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">| 5c3ea23eb8e14070bc562951bb266073 | sysinv |<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt">+----------------------------------+------------+<b><o:p></o:p></b></span></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">$ cat myrc<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">unset OS_SERVICE_TOKEN<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_AUTH_URL=<a href="http://192.168.204.2:5000/v2.0">http://192.168.204.2:5000/v2.0</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_ENDPOINT_TYPE=publicURL<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export CINDER_ENDPOINT_TYPE=publicURL<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_USERNAME=admin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_PASSWORD=admin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export PS1='[\u@\h \W(keystone_admin)]\$ '<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_TENANT_NAME=admin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">export OS_REGION_NAME=RegionOne<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal">After getting the auth token, the client uses the adminURL endpoint to get the user list:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">curl -g -i -X GET
<a href="http://192.168.204.2:35357/v2.0/users">http://192.168.204.2:35357/v2.0/users</a> -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"<br>
</span><br>
<br>
Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><br>
Thanks,<br>
Kam<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</span>
</body>
</html>