[Openstack] Role inheritance in keystone
Henry Nash
henry.nash at uk.ibm.com
Wed Nov 16 09:58:43 UTC 2016
Hi Andrew,
Sorry to be picking this up so late - I'm not sure if anyone answered your
question, but from the data I can see it looks like that the two role
assignments you have on the domain are not inherited assignments - (the
Inherited Attribute is False in the role assignment listing). Hence these
assignments apply only to the domain object itself, rather than projects
within that domain. Such an assignment might be useful, for instance, to
give someone the ability to add users/groups to the domain (but such an
ability has no meaning for regular projects).
If what you want is a role that you assign to a domain and is also
assigned to each project, then you need to actually mark the assignments
as inherited - you do this when you create the assignment, e.g. use the
--inherited option in 'openstack role add'. For more details see:
http://docs.openstack.org/developer/python-openstackclient/command-objects/role.html
Let me know if you need more guidance on this (or if this indeed does not
solve your problem, in which case someone more strange is going on).
Henry
----------------------------
[Openstack] Role inheritance in keystone
Andrew Bogott abogott at wikimedia.org
Sun Oct 30 16:38:37 UTC 2016
Previous message: [Openstack] centos6 image question
Next message: [Openstack] horizon.pp:[ ERROR ] , Applying Puppet
manifests [ ERROR ]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've just read
http://developer.openstack.org/api-ref/identity/v3-ext/inherit.html
and I think I understand it, but can't put it into practice. I have a
user with a role on a domain, and a project in that domain, but I see no
evidence that the role assignment is inherited by the project. Am I
missing some extra 'enable inheritance' config? Or does inheritance
explicitly not work for the 'default' project?
I'm running Openstack Liberty; My entire workflow is attached, below.
Hopefully there's an obvious mistake!
Thank you!
-Andrew
$export OS_USERNAME="novaadmin"
$export OS_PROJECT_DOMAIN_ID="default"
$export OS_USER_DOMAIN_ID="default"
$export OS_PASSWORD="<redacted>"
$export OS_AUTH_URL="http://<redacted>:35357/v3"
$export OS_REGION_NAME="codfw"
$export OS_NO_CACHE=1
$export OS_IDENTITY_API_VERSION=3
$ curl $OS_AUTH_URL
{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z",
"media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links":
[{"href": "http://labtestcontrol2001.wikimedia.org:35357/v3/", "rel":
"self"}]}}
$ Conclusion: running keystone api 3.4
$ openstack project show emptytestproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 23c3fe708cb44c4db3144c3763b2c96c |
| is_domain | False |
| name | emptytestproject |
| parent_id | None |
+-------------+----------------------------------+
$ openstack domain list
+---------+---------+---------+----------------------------------------------------------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+----------------------------------------------------------------------+
| default | Default | True | Owns users and tenants (i.e. projects)
available on Identity API v2. |
+---------+---------+---------+----------------------------------------------------------------------+
$ # Conclusion: 'emptytestproject' is in domain 'default.'
$ openstack role assignment list --domain default --user novaadmin
+----------------------------------+-----------+-------+---------+---------+-----------+
| Role | User | Group | Project |
Domain | Inherited |
+----------------------------------+-----------+-------+---------+---------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | |
default | False |
| cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | |
default | False |
+----------------------------------+-----------+-------+---------+---------+-----------+
$ openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 8284c7e1155a464c818cf1eacf008c23 | user |
| 8e86568d85984eda8ff44532f99e9304 | admin |
| cb17fb40e2ef4cdd99956cd771b1799a | projectadmin |
| eb3fb807ab684f3d9fa77eed65bc0817 | glanceadmin |
+----------------------------------+--------------+
$ # Conclusion: user 'novaadmin' has roles 'projectadmin' and 'user' on
domain 'default.'
$ # expected: user 'novaadmin' should have those two inherited roles in
'emptytestproject'
$ openstack role assignment list --project emptytestproject --user
novaadmin
$ # nope, no roles.
$ # expected: user 'novaadmin' should be able to list servers in
emptytestproject
$ OS_TENANT_NAME=emptytestproject openstack server list
The request you have made requires authentication. (HTTP 401)
(Request-ID: req-5b173b30-1cdc-4d30-b1d1-41558dd0cd26)
$ # nope!
$ # ==================================================================
$ # policy doublecheck
$ # ==================================================================
$ openstack role assignment list --project labtestproject --user novaadmin
+----------------------------------+-----------+-------+----------------+--------+-----------+
| Role | User | Group | Project
| Domain | Inherited |
+----------------------------------+-----------+-------+----------------+--------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | labtestproject
| | False |
| cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | labtestproject
| | False |
+----------------------------------+-----------+-------+----------------+--------+-----------+
$ OS_TENANT_NAME=labtestproject openstack server list
+--------------------------------------+-------------------+---------+---------------------------------+
| ID | Name | Status |
Networks |
+--------------------------------------+-------------------+---------+---------------------------------+
| dd3dd963-c78f-4c68-801a-6bdada4b2c35 | puppetless | SHUTOFF |
public=10.196.16.71 |
| 12d4fe67-7da2-4c28-8c33-bff64b06bff5 | eightpointfive | SHUTOFF |
public=10.196.16.70 |
| 932b8e24-e3ac-44ed-a0a5-035ab3c69869 | rnds-test-104 | SHUTOFF |
public=10.196.16.40 |
| 991ba7b0-0b1a-4843-ba85-4a5ae5f72ce6 | spice-test-101 | SHUTOFF |
public=10.196.16.17 |
| 93139bfd-51f6-4796-b3ec-0ac971f1d24e | libvirt-test-101 | SHUTOFF |
public=10.196.16.16 |
| 1d28d0e3-8dea-4cce-9bd4-a999a43ebea3 | network-tests-101 | SHUTOFF |
public=10.196.16.2, 10.196.17.1 |
+--------------------------------------+-------------------+---------+---------------------------------+
$ # Yep, policy allows user with projectadmin role to list servers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161116/a93183f7/attachment.html>
More information about the Openstack
mailing list