[openstack-dev] [Keystone]: Help needed with RBAC policies

Boris Bobrov bbobrov at mirantis.com
Tue Jul 19 19:08:41 UTC 2016


Hi,

Try passing --os-identity-api-version=3 to `openstack`. Or set env 
variable OS_IDENTITY_API_VERSION=3.

On 07/19/2016 09:56 PM, Nasim, Kam wrote:
> Hi  folks,
>
> I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced.
>
> As a quick test, I modified the identity:list_users policy to:
>
> "identity:list_users": "role:kam",
>
> There is no role called "kam" defined in my deployment so I would have expected this operation to fail.
>
> However:
>
> $ openstack --debug user list
>
> +----------------------------------+------------+
> | ID                               | Name       |
> +----------------------------------+------------+
> | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin      |
> | 4b76763e375946998445b65b11c8db73 | ceilometer |
> | 15c8e1e463cc4370ad369eaf8504b727 | cinder     |
> | 951068b3372f47ac827ade8f67cc19b4 | glance     |
> | 2b62ced877244e74ba90b546225740d0 | heat       |
> | 438a24497bc8448d9ac63bf05a005796 | kam        |
> | 0b7af941da9b4896959f9258c6b498a0 | kam2       |
> | d1c4f7a244f74892b612b9b2ded6d602 | neutron    |
> | 5c3ea23eb8e14070bc562951bb266073 | sysinv     |
> +----------------------------------+------------+
>
> $ cat myrc
> unset OS_SERVICE_TOKEN
> export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
> export OS_ENDPOINT_TYPE=publicURL
> export CINDER_ENDPOINT_TYPE=publicURL
>
> export OS_USERNAME=admin
> export OS_PASSWORD=admin
> export PS1='[\u@\h \W(keystone_admin)]\$ '
>
> export OS_TENANT_NAME=admin
> export OS_REGION_NAME=RegionOne
>
>
> After getting the auth token, the client uses the adminURL endpoint to get the user list:
> curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
>
>
> Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC
>
>
> Thanks,
> Kam
>
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list