[Openstack] Keystone policy to allow project_admins to add (existing) users to their projects

Jonathan Proulx jon at jonproulx.com
Mon Aug 24 20:41:32 UTC 2015 

HI,

I want to create a 'project_admin' role with the ability to add and
remove existing users from the project in which one has this role.
But it's not working as I thought.  Here's what I tried in policy.json
(note #comments are not in the json file):

# set up the rules
    "project_admin": "project_id:%(project_id)s and role:project_admin",
    "admin_or_proj_admin": "rule:admin_required or rule:admin_or_proj_admin",
# grant role to some things that were previously rule:admin_required
    "identity:get_project": "rule:admin_or_proj_admin",
    "identity:update_project": "rule:admin_or_proj_admin",
    "identity:get_user": "rule:admin_or_proj_admin",
    "identity:get_role": "rule:admin_or_proj_admin",
    "identity:create_grant": "rule:admin_or_proj_admin",
    "identity:revoke_grant": "rule:admin_or_proj_admin",
    "identity:list_role_assignments": "rule:admin_or_proj_admin",

I'd started off with a smaller set (just the create_grant and
revoke_grant) but added more access due to failures, but still not
working.

what I did:

restarted keystone after editing policy.json (is this required?)

# as admin user
 keystone user-role-add --user jon --role project_admin --tenant test-group

# as user 'jon'
 keystone --debug --os-tenant-name test-group user-role-add --user
jon-test --role _member_ --tenant test-group
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
https://keystone:5001/v2.0/tokens
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915
DEBUG:keystoneclient.session:REQ: curl -i -X GET
https://keystone:35358/v2.0/users/jon-test -H "User-Agent:
python-keystoneclient" -H "X-Auth-Token: <redacted>"
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131
DEBUG:keystoneclient.session:RESP:
DEBUG:keystoneclient.session:Request returned failure status: 403
You are not authorized to perform the requested action: admin_required
(HTTP 403)

am I tweaking the wrong rules or is something deeper in my way?

Thanks,
-Jon

More information about the Openstack mailing list