[Openstack-operators] How to allow users to list services by modifying the policy.json file of Keystone

Fischer, Matt matthew.fischer at twcable.com
Mon Jan 26 15:02:42 UTC 2015


Is there any reason that the user can¹t just run keystone catalog which
does not require admin permissions?

On 1/26/15, 4:58 AM, "Christian Berendt" <berendt at b1-systems.de> wrote:

>Hello.
>
>We have an user 'user1' in the tenant 'tenant1' with the assigned role
>'_member_'.
>
>We want to be able to list services with this user. In the default
>policy.json files we can find the following rules:
>
>"admin_required": "role:admin or is_admin:1",
>"identity:list_services": "rule:admin_required",
>
>As expected 'keystone service-list' will fail with a HTTP error 403
>('admin_required').
>
>Now we change the rule "admin_required" to
>
>"admin_required": "role:_member_ or role:admin or is_admin:1".
>
>As expected 'keystone service-list' is now working. But we want to be
>able to only list services, with this modification of the admin_required
>rule it is possible to list e.g. roles, too.
>
>We undo the change to admin_required and change identity:list_services to
>
>"identity:list_services": "rule:admin_required or role:_member_",
>
>'keystone service-list' will fail with an HTTP error 403
>('admin_required').
>
>We change identity:list_services to
>
>"identity:list_services": "role:_member_",
>
>'keystone service-list' will fail with an HTTP error 403
>('admin_required').
>
>We change identity:list_services to
>
>"identity:list_services": "@",
>
>'keystone service-list' will fail with an HTTP error 403
>('admin_required').
>
>It looks like the modifications of identity:list_services are ignored.
>
>Any idea what we are doing wrong?
>
>Christian.
>
>--
>Christian Berendt
>Cloud Solution Architect
>Mail: berendt at b1-systems.de
>
>B1 Systems GmbH
>Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
>GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
>
>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.



More information about the OpenStack-operators mailing list