[Openstack] Keystone policy to allow project_admins to add (existing) users to their projects
Morgan Fainberg
morgan.fainberg at gmail.com
Tue Aug 25 03:36:41 UTC 2015
The policy file is not really used for v2 keystone. There are very limited things that can be done with v2 and policy.
Please also note that the keystoneclient cli only supports v2 (and is deprecated in favor of the common openstack client).
Other than those two point Steve's email is spot on.
Cheers,
Morgan
Sent via mobile
> On Aug 24, 2015, at 13:41, Jonathan Proulx <jon at jonproulx.com> wrote:
>
> HI,
>
> I want to create a 'project_admin' role with the ability to add and
> remove existing users from the project in which one has this role.
> But it's not working as I thought. Here's what I tried in policy.json
> (note #comments are not in the json file):
>
> # set up the rules
> "project_admin": "project_id:%(project_id)s and role:project_admin",
> "admin_or_proj_admin": "rule:admin_required or rule:admin_or_proj_admin",
> # grant role to some things that were previously rule:admin_required
> "identity:get_project": "rule:admin_or_proj_admin",
> "identity:update_project": "rule:admin_or_proj_admin",
> "identity:get_user": "rule:admin_or_proj_admin",
> "identity:get_role": "rule:admin_or_proj_admin",
> "identity:create_grant": "rule:admin_or_proj_admin",
> "identity:revoke_grant": "rule:admin_or_proj_admin",
> "identity:list_role_assignments": "rule:admin_or_proj_admin",
>
> I'd started off with a smaller set (just the create_grant and
> revoke_grant) but added more access due to failures, but still not
> working.
>
> what I did:
>
> restarted keystone after editing policy.json (is this required?)
>
> # as admin user
> keystone user-role-add --user jon --role project_admin --tenant test-group
>
> # as user 'jon'
> keystone --debug --os-tenant-name test-group user-role-add --user
> jon-test --role _member_ --tenant test-group
> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
> https://keystone:5001/v2.0/tokens
> INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915
> DEBUG:keystoneclient.session:REQ: curl -i -X GET
> https://keystone:35358/v2.0/users/jon-test -H "User-Agent:
> python-keystoneclient" -H "X-Auth-Token: <redacted>"
> INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131
> DEBUG:keystoneclient.session:RESP:
> DEBUG:keystoneclient.session:Request returned failure status: 403
> You are not authorized to perform the requested action: admin_required
> (HTTP 403)
>
> am I tweaking the wrong rules or is something deeper in my way?
>
> Thanks,
> -Jon
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list