[openstack-dev] [Keystone]: Help needed with RBAC policies
Nasim, Kam
Kam.Nasim at windriver.com
Tue Jul 19 18:56:11 UTC 2016
Hi folks,
I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to:
"identity:list_users": "role:kam",
There is no role called "kam" defined in my deployment so I would have expected this operation to fail.
However:
$ openstack --debug user list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder |
| 951068b3372f47ac827ade8f67cc19b4 | glance |
| 2b62ced877244e74ba90b546225740d0 | heat |
| 438a24497bc8448d9ac63bf05a005796 | kam |
| 0b7af941da9b4896959f9258c6b498a0 | kam2 |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron |
| 5c3ea23eb8e14070bc562951bb266073 | sysinv |
+----------------------------------+------------+
$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL
export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne
After getting the auth token, the client uses the adminURL endpoint to get the user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC
Thanks,
Kam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160719/022b09ee/attachment-0001.html>
More information about the OpenStack-dev
mailing list