[openstack-dev] [Keystone]: Help needed with RBAC policies

Timothy Symanczyk Timothy_Symanczyk at symantec.com
Tue Jul 19 19:09:15 UTC 2016 

Hi Kam,

The first thing I'd do is ensure that you're editing the correct "in use" policy file ( /etc/keystone/policy.json , if it's a default devstack install ). Secondly, a good test would be to change the actual policy to "!" (deny all). If that still allows anyone but the service token to do the operation, something beyond your specific edits is wrong.

The service token bypasses RBAC, but the admin accounts should not. Beyond editing the correct "in use" policy file, there should not be additional changes necessary to enable them.

Tim

From: "Nasim, Kam" <Kam.Nasim at windriver.com<mailto:Kam.Nasim at windriver.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, July 19, 2016 at 11:56 AM
To: "openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [Keystone]: Help needed with RBAC policies

Hi  folks,

I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced.

As a quick test, I modified the identity:list_users policy to:

"identity:list_users": "role:kam",

There is no role called "kam" defined in my deployment so I would have expected this operation to fail.

However:

$ openstack --debug user list

+----------------------------------+------------+
| ID                               | Name       |
+----------------------------------+------------+
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin      |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder     |
| 951068b3372f47ac827ade8f67cc19b4 | glance     |
| 2b62ced877244e74ba90b546225740d0 | heat       |
| 438a24497bc8448d9ac63bf05a005796 | kam        |
| 0b7af941da9b4896959f9258c6b498a0 | kam2       |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron    |
| 5c3ea23eb8e14070bc562951bb266073 | sysinv     |
+----------------------------------+------------+

$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL

export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '

export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne


After getting the auth token, the client uses the adminURL endpoint to get the user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"


Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC


Thanks,
Kam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160719/771fe32f/attachment.html>

More information about the OpenStack-dev mailing list