[kolla-ansible][horizon] policy.yaml/json files

Mark Goddard mark at stackhpc.com
Tue Mar 30 08:24:41 UTC 2021

On Mon, 29 Mar 2021 at 15:36, Adam Tomas <bkslash at poczta.onet.pl> wrote:
> Hi,

Hi, Looks like we need some more/better docs on this in Kolla.

> Im not quite clear about policy.yaml/json files in kolla-ansible. Let assume, that I need to allow one of project users to add other users to the project. So I create „project_admin” role and assign it to this user. Then I found /etc/kolla/keystone/policy.json.test file, which I use as template. There is rule „identity:create_credential” : „(role:admin and system_scope:all)” so I add „or role:project_admin” and put file in /etc/kolla/config/keystone/ and reconfigure kolla. And now few questions:
> 1. policy.json (or policy.yaml) always overwrite all default policies? I mean if I only add one rule to this file then other rules will „disappear” or will have default values? Is there any way to only overwrite some default rules and leave rest with defaults? Like with .conf files

For a few releases now, OpenStack supports policy in code. This means
that you only need to include the rules you want to override in your

> 2. what about Horizon and visibility of options? In mentioned case putting the same policy.json file in /etc/kolla/config/keystone/ and /etc/kolla/config/horizon/ should „unblock” Add User button for user with project_admin role? Or how to achieve it?

For keystone policy in horizon, you need to use:


> 3. does Horizon need the duplicated policy.json files from other services in it’s configuration folder or is it enough to write policy.json for services I want to change?

Only the ones you want to change.

> 4. when I assign admin role to a user with projectID  (openstack role add —project PROJECT_ID —user SOME_USER admin) this user sees in Horizon everything systemwide, not only inside this project… Which rules should be created to allow him to see only users and resources which belongs to this project?

Currently admin is generally global in OpenStack. It's a known
limitation, and currently being worked on.

> Best regards
> Adam

More information about the openstack-discuss mailing list