[Openstack] [Keystone] Policy settings not working correctly

Adam Young ayoung at redhat.com
Fri Jun 7 02:27:38 UTC 2013 

What is the actualy question here?  Is it "why is this failing" or "why 
was it done that way?"


On 06/04/2013 07:47 AM, Heiko Krämer wrote:
> Heyho guys :)
>
> I've a little problem with policy settings in keystone. I've create a 
> new rule in my policy-file and restarts keystone but keystone i don't 
> have privileges.

What is the rule?
>
> Example:
>
>
> keystone user-create --name kadmin --pw lala
> keystone user-role-add --
>
> keystone role-list --user kadmin --role KeystoneAdmin --tenant admin
>
> +----------------------------------+----------------------+
> |                id                |         name         |
> +----------------------------------+----------------------+
> | 3f5c0af585db46aeaec49da28900de28 |    KeystoneAdmin     |
> | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |
>
>
> cat /etc/keystone/policy.json
>
> {
>     "admin_required": [["role:admin"], ["is_admin:1"]],
>     "owner" : [["user_id:%(user_id)s"]],
>     "admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
>     "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]],
>
>     "default": [["rule:admin_required"]],
> [.....]
>     "identity:list_users": [["rule:admin_or_kadmin"]],
> [....]
>
> <loading kadmin creds>
>
> keystone user-list
> Unable to communicate with identity service: {"error": {"message": 
> "You are not authorized to perform the requested action: 
> admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
>
>
> In log file i see:
> DEBUG [keystone.policy.backends.rules] enforce admin_required: 
> {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id': 
> u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}
>
>
>
>
> Why does keystone enforce /admin_required/ rule instead of the defined 
> rule (/admin_or_kadmin/).

Historical reasons.  We are trying to clean this up.

>
>
>
> Keystone conf:
> [...]
>
> # Path to your policy definition containing identity actions
> policy_file = policy.json
> [..]
> [policy]
> driver = keystone.policy.backends.rules.Policy
>
>
>
>
> Any have an idea ?
>
> Thx and greetings
> Heiko
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130606/1751e0e9/attachment.html>

More information about the Openstack mailing list