Hi OpenStack Community,

                       I am currently using openstack kolla ansible 2023.1, now facing an issue with the role-based access control in my OpenStack deployment.Could you please assist me in achieving my requirements for proper role configuration and access management?

I have created a custom role named "owner" with permissions to create, delete, and manage users and projects, and also to assign users to projects. However, I want to restrict the "owner" role to manage only the users and projects within their own project, and not across other projects.

Here is the policy file configuration(/etc/kolla/keystone/policy.yaml) I am using:

yaml
# Custom rule to allow users with the 'owner' role to manage users and projects identity:create_project: "role:owner or role:admin" admin_or_owner: "rule:admin_required or project_id:%(target.project.id)s" identity:delete_project: "rule:admin_or_owner" identity:delete_user: "rule:admin_or_owner" identity:create_user: "role:owner or role:admin" identity:get_user: "role:owner or role:admin or role:member or role:user" identity:list_users: "role:owner or role:admin" identity:update_user: "role:owner or role:admin" identity:create_grant: "role:owner or role:admin" identity:list_grants: "role:owner or role:admin"

I have the following questions:

  1. Is the above policy configuration correct for achieving the desired restrictions?
  2. Are there any other possibilities or best practices to ensure that the "owner" role can only delete users and projects within their own project?
  3. How can I improve or adjust the policy rules to meet these requirements effectively?

Thank you in advance for your assistance.


---- On Fri, 12 Jul 2024 10:49:22 +0530 Artem Goncharov <artem.goncharov@gmail.com> wrote ---

Hi,

1) in Keystone we are currently working on implementing domain manager persona that allows certain person on a "customer" side to do project and user operations. This includes explicit listing of users in a domain

2) this is conceptually wrong to talk about users in a project, since users are owned by domains and can get access to multiple projects within the domain (and with some tricks to other domains). So you are partially right that role assignments is the way of figuring out access of users to projects. One more challenge though is that such access can be granted using user groups. In this case you actually should also resolve groups access to the desired project.

Hope this helps,
Artem

----
typed from mobile, auto-correct typos assumed
----

On Thu, Jul 11, 2024, 20:34 Thamanna Farhath <thamanna.f@zybisys.com> wrote:

Hello openstack community,
           I am currently working on an OpenStack kolla ansible 2023.1. I have created a custom role " owner "

Objective: 

  1. Users with the owner role can only list users within their project.
  2. Avoid additional API calls for filtering users by project.

Current Challenge:

      Using direct API calls, the list users API currently returns all users without any project-specific filtering. While additional API calls to the role_assignments endpoint can achieve the desired filtering, this approach is not efficient and doesn't restrict access at the API level.

     I am considering defining custom Keystone policies to achieve this restriction. However, I am unsure how to properly configure these policies to enforce project-specific access control effectively.

Thanks in advance



Disclaimer :  The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.

 

E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."






Disclaimer :  The content of this email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error, please notify the sender and remove the messages from your system. If you are not the named addressee, it is strictly forbidden for you to share, circulate, distribute or copy any part of this e-mail to any third party without the written consent of the sender.

 

E-mail transmission cannot be guaranteed to be secured or error free as information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or may contain viruses. Therefore, we do not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. The recipient should check this e-mail and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email."