Hi,

This is not going to be easily possible. Actually it is possible only with very dirty hacks that nobody can recommend to you. Problem is that the policy you describe is based on the resource IDs. This is conceptually not supported right now. It sounds like something similar to the is_owner rule, but users do not have that, so it is not going to work.
There might be some non trivial workarounds, but I strongly suggest you to consider other models. One potential clean solution would be if you move your user management to the external identity provider (like Keycloak or similar) and establish federation. In that case in your IdP you can model your user management policies as supported.

Regards,
Artem


On Mon, Jul 15, 2024, 18:27 Thamanna Farhath <thamanna.f@zybisys.com> wrote:
Hi,

   Thank you for your support .I have a specific requirement regarding user management permissions in OpenStack. 

Here is the current setup:

  • User X with the "Owner" role has created two users: myuser1 and myuser2.
  • User Y with the "Owner" role has created two users: newuser1 and newuser2.

I want to enforce the following restrictions:

  • User X should only have permission to delete myuser1 and myuser2.
  • User Y should only have permission to delete newuser1 and newuser2.

Currently, User X can delete newuser1 and newuser2, and I need to restrict this behavior.

Could you please provide guidance on how to configure the policy to enforce these restrictions in OpenStack? Any other necessary configurations to achieve this.



---- On Mon, 15 Jul 2024 15:22:42 +0530 Artem Goncharov <artem.goncharov@gmail.com> wrote ---

Hi,


I repeat the my underline of a misunderstanding you are referring to: users are not existing within projects, but within domains.


Things you are asking in multiple independent questions are all being worked in the https://review.opendev.org/c/openstack/keystone/+/924132 (https://bugs.launchpad.net/keystone/+bug/2045974) right now.


Artem


On 7/15/24 11:47, Thamanna Farhath wrote:

Hi OpenStack Community,

I am working on a policy configuration to ensure that only owners of a project can delete users within their own project. Below is my current setup and the policy rules I have defined.

Current Setup

  • OpenStack deployment using Kolla Ansible 2023.1.
  • Created an owner role with permissions to create, delete, and manage users and projects.
  • But it allows you to delete users from other projects as well. So, I need to achieve the below scenario.

Policy Rules

yaml

"admin_required": "role:admin"
"admin_or_owner": "rule:admin_required or (role:owner and project_id:%(target.user.project_id)s)"
"identity:delete_user": "rule:admin_or_owner"

Scenario

  • User demo with owner role of project X creates users newuser1 and newuser2 assigned to project X.
  • User tester with owner role of project Y creates users myuser1 and myuser2 assigned to project Y.

With the above configuration, I aim to ensure that:

  • User demo can only delete newuser1 and newuser2 within project X.
  • User tester can only delete myuser1 and myuser2 within project Y.


Thank you for your support.





Disclaimer :  The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.

 

E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."





Disclaimer :  The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.

 

E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."


----
typed from mobile, auto-correct typos assumed
----