[Openstack] Keystone policy to allow project_admins to add (existing) users to their projects

Steve Martinelli stevemar at ca.ibm.com
Tue Aug 25 03:17:07 UTC 2015


If you're using oslo.policy (this is in Kilo and newer) then you shouldn't
have to restart Keystone for the changes to policy.json to take affect, but
it doesn't hurt.

I suggest looking to make sure the role 'project_admin' was actually
assigned to the user in that project. You can use the command `keystone
user-role-list` for that.

Thanks,

Steve Martinelli
OpenStack Keystone Core



From:	Jonathan Proulx <jon at jonproulx.com>
To:	"openstack at lists.openstack.org" <openstack at lists.openstack.org>
Date:	2015/08/24 03:46 PM
Subject:	[Openstack] Keystone policy to allow project_admins to add
            (existing) users to their projects



HI,

I want to create a 'project_admin' role with the ability to add and
remove existing users from the project in which one has this role.
But it's not working as I thought.  Here's what I tried in policy.json
(note #comments are not in the json file):

# set up the rules
    "project_admin": "project_id:%(project_id)s and role:project_admin",
    "admin_or_proj_admin": "rule:admin_required or
rule:admin_or_proj_admin",
# grant role to some things that were previously rule:admin_required
    "identity:get_project": "rule:admin_or_proj_admin",
    "identity:update_project": "rule:admin_or_proj_admin",
    "identity:get_user": "rule:admin_or_proj_admin",
    "identity:get_role": "rule:admin_or_proj_admin",
    "identity:create_grant": "rule:admin_or_proj_admin",
    "identity:revoke_grant": "rule:admin_or_proj_admin",
    "identity:list_role_assignments": "rule:admin_or_proj_admin",

I'd started off with a smaller set (just the create_grant and
revoke_grant) but added more access due to failures, but still not
working.

what I did:

restarted keystone after editing policy.json (is this required?)

# as admin user
 keystone user-role-add --user jon --role project_admin --tenant test-group

# as user 'jon'
 keystone --debug --os-tenant-name test-group user-role-add --user
jon-test --role _member_ --tenant test-group
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
https://keystone:5001/v2.0/tokens
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915
DEBUG:keystoneclient.session:REQ: curl -i -X GET
https://keystone:35358/v2.0/users/jon-test -H "User-Agent:
python-keystoneclient" -H "X-Auth-Token: <redacted>"
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131
DEBUG:keystoneclient.session:RESP:
DEBUG:keystoneclient.session:Request returned failure status: 403
You are not authorized to perform the requested action: admin_required
(HTTP 403)

am I tweaking the wrong rules or is something deeper in my way?

Thanks,
-Jon

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150824/22617a85/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150824/22617a85/attachment.gif>


More information about the Openstack mailing list