<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">What is the actualy question here? Is
it "why is this failing" or "why was it done that way?"<br>
<br>
<br>
On 06/04/2013 07:47 AM, Heiko Krämer wrote:<br>
</div>
<blockquote cite="mid:51ADD3D9.800@honeybutcher.de" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
Heyho guys :)<br>
<br>
I've a little problem with policy settings in keystone. I've
create a new rule in my policy-file and restarts keystone but
keystone i don't have privileges. <br>
</blockquote>
<br>
What is the rule?<br>
<blockquote cite="mid:51ADD3D9.800@honeybutcher.de" type="cite"> <br>
Example:<br>
<br>
<br>
keystone user-create --name kadmin --pw lala <br>
keystone user-role-add --<br>
<br>
keystone role-list --user kadmin --role KeystoneAdmin --tenant
admin<br>
<br>
+----------------------------------+----------------------+<br>
| id | name |<br>
+----------------------------------+----------------------+<br>
| 3f5c0af585db46aeaec49da28900de28 | KeystoneAdmin |<br>
| dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |<br>
<br>
<br>
cat /etc/keystone/policy.json<br>
<br>
{<br>
"admin_required": [["role:admin"], ["is_admin:1"]],<br>
"owner" : [["user_id:%(user_id)s"]],<br>
"admin_or_owner": [["rule:admin_required"], ["rule:owner"]],<br>
"admin_or_kadmin": [["rule:admin_required"],
["role:KeystoneAdmin"]],<br>
<br>
"default": [["rule:admin_required"]],<br>
[.....]<br>
"identity:list_users": [["rule:admin_or_kadmin"]],<br>
[....]<br>
<br>
<loading kadmin creds><br>
<br>
keystone user-list<br>
Unable to communicate with identity service: {"error": {"message":
"You are not authorized to perform the requested action:
admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP
403)<br>
<br>
<br>
In log file i see:<br>
DEBUG [keystone.policy.backends.rules] enforce admin_required:
{'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}<br>
<br>
<br>
<br>
<br>
Why does keystone enforce <i>admin_required</i> rule instead of
the defined rule (<i>admin_or_kadmin</i>).<br>
</blockquote>
<br>
Historical reasons. We are trying to clean this up. <br>
<br>
<blockquote cite="mid:51ADD3D9.800@honeybutcher.de" type="cite"> <br>
<br>
<br>
Keystone conf:<br>
[...]<br>
<br>
# Path to your policy definition containing identity actions<br>
policy_file = policy.json<br>
[..]<br>
[policy]<br>
driver = keystone.policy.backends.rules.Policy<br>
<br>
<br>
<br>
<br>
Any have an idea ?<br>
<br>
Thx and greetings<br>
Heiko<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>
More help : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>
</pre>
</blockquote>
<br>
</body>
</html>