<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Red Hat did really good documentation on security (and policies) which can be easily used with kolla - thanks to that my policies now work: <div class=""><br class=""></div><div class=""><a href="https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/pdf/security_and_hardening_guide/Red_Hat_OpenStack_Platform-13-Security_and_Hardening_Guide-en-US.pdf" class="">https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/pdf/security_and_hardening_guide/Red_Hat_OpenStack_Platform-13-Security_and_Hardening_Guide-en-US.pdf</a></div><div class=""><br class=""></div><div class="">Best regards,</div><div class="">Adam<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Wiadomość napisana przez Mark Goddard <<a href="mailto:mark@stackhpc.com" class="">mark@stackhpc.com</a>> w dniu 30.03.2021, o godz. 12:51:</div><br class="Apple-interchange-newline"><div class=""><div class="">On Tue, 30 Mar 2021 at 10:52, Adam Tomas <<a href="mailto:bkslash@poczta.onet.pl" class="">bkslash@poczta.onet.pl</a>> wrote:<br class=""><blockquote type="cite" class=""><br class="">Hi,<br class="">thank you for the answers, but I still have more questions :)<br class=""><br class="">Without any custom policies when I look inside the horizon container I see (in /etc/openstack-dashboard) current/default policies. If I override (for example keystone_policy.json) with a file placed in /etc/kolla/config/horizon which contains only 3 rules, then after kolla-ansible reconfigure inside horizon container there is of course keystone_police.json file, but only with my 3 rules - should I assume, that previously seen default rules (other than the ones overridden by my rules) still works, whether I see them in the file or not?<br class=""></blockquote><br class="">I'd assume Horizon works in the same way as other services, and you<br class="">only need to include changes. Please test and report back.<br class=""><br class=""><blockquote type="cite" class=""><br class="">And another question - I need a rule, that will allow some „special” user (which I call project_admin) to see,create, update and delete users inside a project (but not elsewhere). How should the policy look like?<br class=""><br class="">„project_admin_required”: „role:project_admin and default_project_id:%(target.project_id)s"<br class="">„identity:list_user”: „rule: admin_required or project_admin_required”<br class="">„identity:create_user”: „rule: admin_required or project_admin_required”<br class="">„identity:update_user”: „rule: admin_required or project_admin_required”<br class="">„identity:delete_user”: „rule: admin_required or project_admin_required”<br class=""><br class=""></blockquote><br class="">As I mentioned before, admin is global in OpenStack for now. There may<br class="">be various ways to achieve what you want. One is to introduce a role,<br class="">and use it in the rules. It's a bit of a can of worms though, since<br class="">there are many API endpoints which might need to be updated to catch<br class="">all corner cases. I added keystone to the subject, in case anyone from<br class="">that team wants to comment.<br class=""><br class=""><blockquote type="cite" class="">?<br class="">Best regards,<br class="">Adam<br class=""><br class=""><blockquote type="cite" class="">Wiadomość napisana przez Mark Goddard <<a href="mailto:mark@stackhpc.com" class="">mark@stackhpc.com</a>> w dniu 30.03.2021, o godz. 11:05:<br class=""><br class="">On Tue, 30 Mar 2021 at 09:24, Mark Goddard <<a href="mailto:mark@stackhpc.com" class="">mark@stackhpc.com</a>> wrote:<br class=""><blockquote type="cite" class=""><br class="">On Mon, 29 Mar 2021 at 15:36, Adam Tomas <<a href="mailto:bkslash@poczta.onet.pl" class="">bkslash@poczta.onet.pl</a>> wrote:<br class=""><blockquote type="cite" class=""><br class="">Hi,<br class=""></blockquote><br class="">Hi, Looks like we need some more/better docs on this in Kolla.<br class=""></blockquote><br class="">Proposed some docs improvements:<br class=""><a href="https://review.opendev.org/c/openstack/kolla-ansible/+/783809" class="">https://review.opendev.org/c/openstack/kolla-ansible/+/783809</a><br class=""><br class=""><blockquote type="cite" class=""><br class=""><blockquote type="cite" class="">Im not quite clear about policy.yaml/json files in kolla-ansible. Let assume, that I need to allow one of project users to add other users to the project. So I create „project_admin” role and assign it to this user. Then I found /etc/kolla/keystone/policy.json.test file, which I use as template. There is rule „identity:create_credential” : „(role:admin and system_scope:all)” so I add „or role:project_admin” and put file in /etc/kolla/config/keystone/ and reconfigure kolla. And now few questions:<br class=""><br class="">1. policy.json (or policy.yaml) always overwrite all default policies? I mean if I only add one rule to this file then other rules will „disappear” or will have default values? Is there any way to only overwrite some default rules and leave rest with defaults? Like with .conf files<br class=""></blockquote><br class="">For a few releases now, OpenStack supports policy in code. This means<br class="">that you only need to include the rules you want to override in your<br class="">JSON/YAML file.<br class=""><br class=""><blockquote type="cite" class=""><br class="">2. what about Horizon and visibility of options? In mentioned case putting the same policy.json file in /etc/kolla/config/keystone/ and /etc/kolla/config/horizon/ should „unblock” Add User button for user with project_admin role? Or how to achieve it?<br class=""></blockquote><br class="">For keystone policy in horizon, you need to use:<br class=""><br class="">/etc/kolla/config/horizon/keystone_policy.json<br class=""><br class=""><blockquote type="cite" class=""><br class="">3. does Horizon need the duplicated policy.json files from other services in it’s configuration folder or is it enough to write policy.json for services I want to change?<br class=""></blockquote><br class="">Only the ones you want to change.<br class=""><br class=""><blockquote type="cite" class=""><br class="">4. when I assign admin role to a user with projectID (openstack role add —project PROJECT_ID —user SOME_USER admin) this user sees in Horizon everything systemwide, not only inside this project… Which rules should be created to allow him to see only users and resources which belongs to this project?<br class=""></blockquote><br class="">Currently admin is generally global in OpenStack. It's a known<br class="">limitation, and currently being worked on.<br class=""><br class=""><blockquote type="cite" class=""><br class="">Best regards<br class="">Adam<br class=""></blockquote></blockquote></blockquote><br class=""></blockquote></div></div></blockquote></div><br class=""></div></body></html>