[Openstack] [Keystone] Policy settings not working correctly

Heiko Krämer info at honeybutcher.de
Fri Jun 7 08:07:01 UTC 2013


Hi Guang,

thx for your hint but that's not the reason because in your example all
users with the KeystoneAdmin role have the same rights as the admin and
thats useless.

@Adam so i've no chance to get the policy management working ? I can't
say the KeystoneAdmin role is only allowed to create and delete users
and nothing more ?
I saw instead of the file a mysql base policy management but thers no
cli commands available right ?


Thx and Greetings
Heiko

On 07.06.2013 07:59, Yee, Guang wrote:
>
> I think keystone client is still V2 by default, which is enforcing
> admin_required.
>
>  
>
> Try this
>
>  
>
> "admin_required": [["role:KeystoneAdmin"], ["role:admin"],
> ["is_admin:1"]],
>
>  
>
>  
>
> Guang
>
>  
>
>  
>
> *From:*Openstack
> [mailto:openstack-bounces+guang.yee=hp.com at lists.launchpad.net] *On
> Behalf Of *Adam Young
> *Sent:* Thursday, June 06, 2013 7:28 PM
> *To:* Heiko Krämer; openstack
> *Subject:* Re: [Openstack] [Keystone] Policy settings not working
> correctly
>
>  
>
> What is the actualy question here?  Is it "why is this failing" or
> "why was it done that way?"
>
>
> On 06/04/2013 07:47 AM, Heiko Krämer wrote:
>
>     Heyho guys :)
>
>     I've a little problem with policy settings in keystone. I've
>     create a new rule in my policy-file and restarts keystone but
>     keystone i don't have privileges.
>
>
> What is the rule?
>
>
> Example:
>
>
> keystone user-create --name kadmin --pw lala
> keystone user-role-add --
>
> keystone role-list --user kadmin --role KeystoneAdmin --tenant admin
>
> +----------------------------------+----------------------+
> |                id                |         name         |
> +----------------------------------+----------------------+
> | 3f5c0af585db46aeaec49da28900de28 |    KeystoneAdmin     |
> | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |
>
>
> cat /etc/keystone/policy.json
>
> {
>     "admin_required": [["role:admin"], ["is_admin:1"]],
>     "owner" : [["user_id:%(user_id)s"]],
>     "admin_or_owner": [["rule:admin_required"], ["rule:owner"]],
>     "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]],
>
>     "default": [["rule:admin_required"]],
> [.....]
>     "identity:list_users": [["rule:admin_or_kadmin"]],
> [....]
>
> <loading kadmin creds>
>
> keystone user-list
> Unable to communicate with identity service: {"error": {"message":
> "You are not authorized to perform the requested action:
> admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)
>
>
> In log file i see:
> DEBUG [keystone.policy.backends.rules] enforce admin_required:
> {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
> u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}
>
>
>
>
> Why does keystone enforce /admin_required/ rule instead of the defined
> rule (/admin_or_kadmin/).
>
>
> Historical reasons.  We are trying to clean this up. 
>
>
>
>
>
> Keystone conf:
> [...]
>
> # Path to your policy definition containing identity actions
> policy_file = policy.json
> [..]
> [policy]
> driver = keystone.policy.backends.rules.Policy
>
>
>
>
> Any have an idea ?
>
> Thx and greetings
> Heiko
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
> Post to     : openstack at lists.launchpad.net <mailto:openstack at lists.launchpad.net>
> Unsubscribe : https://launchpad.net/~openstack <https://launchpad.net/%7Eopenstack>
> More help   : https://help.launchpad.net/ListHelp
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130607/49f9fce5/attachment.html>


More information about the Openstack mailing list