[Openstack] Keystone policy to allow project_admins to add(existing) users to their projects

Steve Martinelli stevemar at ca.ibm.com
Tue Aug 25 04:00:40 UTC 2015


Right, v2 and policy don't mix :(

The controller goes right to checking for admin-ness:
https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L144-L161
Whereas in v3, it actually checks the policy.json file:
https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L387-L396

Use openstackclient with v3 settings, example env. vars here:
http://docs.openstack.org/developer/python-openstackclient/authentication.html#authenticating-using-identity-server-api-v3

and try `openstack role add _member --user jon-test --project test-group`
it should work.

Thanks,

Steve Martinelli
OpenStack Keystone Core



From:	Morgan Fainberg <morgan.fainberg at gmail.com>
To:	Jonathan Proulx <jon at jonproulx.com>
Cc:	"openstack at lists.openstack.org" <openstack at lists.openstack.org>
Date:	2015/08/24 10:49 PM
Subject:	Re: [Openstack] Keystone policy to allow project_admins to add
            (existing) users to their projects



The policy file is not really used for v2 keystone. There are very limited
things that can be done with v2 and policy.

Please also note that the keystoneclient cli only supports v2 (and is
deprecated in favor of the common openstack client).

Other than those two point Steve's email is spot on.

Cheers,
Morgan

Sent via mobile

> On Aug 24, 2015, at 13:41, Jonathan Proulx <jon at jonproulx.com> wrote:
>
> HI,
>
> I want to create a 'project_admin' role with the ability to add and
> remove existing users from the project in which one has this role.
> But it's not working as I thought.  Here's what I tried in policy.json
> (note #comments are not in the json file):
>
> # set up the rules
>    "project_admin": "project_id:%(project_id)s and role:project_admin",
>    "admin_or_proj_admin": "rule:admin_required or
rule:admin_or_proj_admin",
> # grant role to some things that were previously rule:admin_required
>    "identity:get_project": "rule:admin_or_proj_admin",
>    "identity:update_project": "rule:admin_or_proj_admin",
>    "identity:get_user": "rule:admin_or_proj_admin",
>    "identity:get_role": "rule:admin_or_proj_admin",
>    "identity:create_grant": "rule:admin_or_proj_admin",
>    "identity:revoke_grant": "rule:admin_or_proj_admin",
>    "identity:list_role_assignments": "rule:admin_or_proj_admin",
>
> I'd started off with a smaller set (just the create_grant and
> revoke_grant) but added more access due to failures, but still not
> working.
>
> what I did:
>
> restarted keystone after editing policy.json (is this required?)
>
> # as admin user
> keystone user-role-add --user jon --role project_admin --tenant
test-group
>
> # as user 'jon'
> keystone --debug --os-tenant-name test-group user-role-add --user
> jon-test --role _member_ --tenant test-group
> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
> https://keystone:5001/v2.0/tokens
> INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915
> DEBUG:keystoneclient.session:REQ: curl -i -X GET
> https://keystone:35358/v2.0/users/jon-test -H "User-Agent:
> python-keystoneclient" -H "X-Auth-Token: <redacted>"
> INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131
> DEBUG:keystoneclient.session:RESP:
> DEBUG:keystoneclient.session:Request returned failure status: 403
> You are not authorized to perform the requested action: admin_required
> (HTTP 403)
>
> am I tweaking the wrong rules or is something deeper in my way?
>
> Thanks,
> -Jon
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150824/d62343f5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150824/d62343f5/attachment.gif>


More information about the Openstack mailing list