[keystone] Correct policies setup for System Administrators
Jan Wasilewski
finarffin at gmail.com
Mon Sep 27 10:47:56 UTC 2021
Hello,
I am preparing policies configuration before an upgrade to the newer
OpenStack release(Stein) and I would like to create a group of System
Administrators to be able to get i.e. a list of all projects in the
OpenStack cloud. I was following a description from this page [1] but it
seems my admin user is able to get only a list of projects where it is
directly added(i.e. with member role, reader role, or admin role). I am
just wondering if we can list all of the OpenStack projects by System
Administrator user without role reader added to every single project?
To summarize what steps were done so far:
- Original policy.json file which was used is here [2]
- Only one option was changed so far:
from:
"identity:list_projects": "rule:cloud_admin or
rule:admin_and_matching_domain_id",
to:
"identity:list_projects": "(role:reader and system_scope:all) or
(role:reader and domain_id:%(target.domain_id)s)",
- Output for command: openstack role assignment list --system all
--role member --role reader
+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+
| Role | User | Group
| Project | Domain | System | Inherited |
+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+
| e39e97c23bfe45d1a2f9689b6985f990 | |
a0841b83f583477887219f27dd95477b | | | all | False
|
+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+Shows
only role reader, not role member, which is a bit strange if we
compare with linked page above. But we have this in implied
roles:openstack implied role list
+----------------------------------+-----------------+----------------------------------+-------------------+
| Prior Role ID | Prior Role Name | Implied Role ID
| Implied Role Name |
+----------------------------------+-----------------+----------------------------------+-------------------+
| a3c7bb5d06884b048c1bfb4403b82b42 | admin |
3f20cb7be46346a8b2ba65c4684d50a3 | member |
| a3c7bb5d06884b048c1bfb4403b82b42 | admin |
9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 3f20cb7be46346a8b2ba65c4684d50a3 | member |
e39e97c23bfe45d1a2f9689b6985f990 | reader |
+----------------------------------+-----------------+----------------------------------+-------------------+-
Admin roles are grouped in a group ATM.Admin: openstack role
assignment list --names --system all --role admin:
+-------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain |
System | Inherited |
+-------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | ATM.Admin at Default | | |
all | False |
| admin | admin at Default | | | |
all | False |
| admin | jwasilewski at Default | | | |
all | False |
+-------+---------------------+-------------------+---------+--------+--------+-----------+Just
to be sure that IDs are linked, we can check it here:openstack role
assignment list --system all --role admin
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
| Role | User
| Group | Project | Domain | System |
Inherited |
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
| a3c7bb5d06884b048c1bfb4403b82b42 |
| a0841b83f583477887219f27dd95477b | | | all | False
|
| a3c7bb5d06884b048c1bfb4403b82b42 | 19416fe5a2da45c88eb66c3aaf856c73
| | | | all | False
|
| a3c7bb5d06884b048c1bfb4403b82b42 | f42df418fd404d04b9bdabf2f1b49fd9
| | | | all | False
|
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
So by linking roles(implied roles): admin(a3c7bb5d06884b048c1bfb4403b82b42
) -> member(3f20cb7be46346a8b2ba65c4684d50a3) ->
reader(e39e97c23bfe45d1a2f9689b6985f990).
Correlation is visible, based on that my user(jwasilewski) should retrieve
a full project list, but it seems only three projects are visible where
this user is an admin. I do not want to add my user as a reader to every
single project to be able to list all of them. Is there a way how to make
it or the only way is to add this role(reader) for a user to all projects?
Thank you in advance for any suggestions.
Best regards,
Jan Wasilewski
[1]
https://docs.openstack.org/keystone/stein/admin/service-api-protection.html#system-administrators
->
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#system-administrators
[2] https://paste.openstack.org/show/bq0HgyqouZF1vywKVkGn/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210927/89d13c6d/attachment-0001.htm>
More information about the openstack-discuss
mailing list