[Openstack] Keystone policy to allow project_admins to add(existing) users to their projects

Jonathan Proulx jon at jonproulx.com
Tue Aug 25 18:52:26 UTC 2015 

Apparently forgot to mention this is on Kilo (ubuntu cloudarchive packaged
version which is still 2015.1.0)

On Tue, Aug 25, 2015 at 12:00 AM, Steve Martinelli <stevemar at ca.ibm.com>
wrote:

> Right, v2 and policy don't mix : (
>

Ah yes! that gets me much further.  After discovering I also needed to add
'list_roles'  I'm getting:

 2015-08-25 14:30:52.659 12798 TRACE keystone.common.wsgi RuntimeError:
maximum recursion depth exceeded

when running as the 'project_admin' this seems to be during the
'list_roles' call as I get the same error trying to list roles, though not
as admin so pretty sure it's now my logic that's off. Also 'openstack role
list' as admin works as project_admin it generates a similar error to the
'openstack role add --user jon-test --project test-group _memeber_'

Fresh grep of related policy:

    "project_admin": "project_id:%(project_id)s and role:project_admin",
    "admin_or_proj_admin": "rule:admin_required or
rule:admin_or_proj_admin",
    "identity:get_project": "rule:admin_or_proj_admin",
    "identity:update_project": "rule:admin_or_proj_admin",
    "identity:get_user": "rule:admin_or_proj_admin",
    "identity:get_role": "rule:admin_or_proj_admin",
    "identity:list_roles": "rule:admin_or_proj_admin",
    "identity:create_grant": "rule:admin_or_proj_admin",
    "identity:revoke_grant": "rule:admin_or_proj_admin",
    "identity:list_role_assignments": "rule:admin_or_proj_admin",

full debug log of failed call from keystone server:
http://paste.openstack.org/show/427313/

Thanks,
-Jon

> The controller goes right to checking for admin-ness:
> https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L144-L161
> Whereas in v3, it actually checks the policy.json file:
> https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L387-L396
>
> Use openstackclient with v3 settings, example env. vars here:
> http://docs.openstack.org/developer/python-openstackclient/authentication.html#authenticating-using-identity-server-api-v3
>
> and try `openstack role add _member --user jon-test --project test-group`
> it should work.
>
> Thanks,
>
> Steve Martinelli
> OpenStack Keystone Core
>
> [image: Inactive hide details for Morgan Fainberg ---2015/08/24 10:49:22
> PM---The policy file is not really used for v2 keystone. There]Morgan
> Fainberg ---2015/08/24 10:49:22 PM---The policy file is not really used for
> v2 keystone. There are very limited things that can be done w
>
> From: Morgan Fainberg <morgan.fainberg at gmail.com>
> To: Jonathan Proulx <jon at jonproulx.com>
> Cc: "openstack at lists.openstack.org" <openstack at lists.openstack.org>
> Date: 2015/08/24 10:49 PM
> Subject: Re: [Openstack] Keystone policy to allow project_admins to add
> (existing) users to their projects
> ------------------------------
>
>
>
> The policy file is not really used for v2 keystone. There are very limited
> things that can be done with v2 and policy.
>
> Please also note that the keystoneclient cli only supports v2 (and is
> deprecated in favor of the common openstack client).
>
> Other than those two point Steve's email is spot on.
>
> Cheers,
> Morgan
>
> Sent via mobile
>
> > On Aug 24, 2015, at 13:41, Jonathan Proulx <jon at jonproulx.com> wrote:
> >
> > HI,
> >
> > I want to create a 'project_admin' role with the ability to add and
> > remove existing users from the project in which one has this role.
> > But it's not working as I thought.  Here's what I tried in policy.json
> > (note #comments are not in the json file):
> >
> > # set up the rules
> >    "project_admin": "project_id:%(project_id)s and role:project_admin",
> >    "admin_or_proj_admin": "rule:admin_required or
> rule:admin_or_proj_admin",
> > # grant role to some things that were previously rule:admin_required
> >    "identity:get_project": "rule:admin_or_proj_admin",
> >    "identity:update_project": "rule:admin_or_proj_admin",
> >    "identity:get_user": "rule:admin_or_proj_admin",
> >    "identity:get_role": "rule:admin_or_proj_admin",
> >    "identity:create_grant": "rule:admin_or_proj_admin",
> >    "identity:revoke_grant": "rule:admin_or_proj_admin",
> >    "identity:list_role_assignments": "rule:admin_or_proj_admin",
> >
> > I'd started off with a smaller set (just the create_grant and
> > revoke_grant) but added more access due to failures, but still not
> > working.
> >
> > what I did:
> >
> > restarted keystone after editing policy.json (is this required?)
> >
> > # as admin user
> > keystone user-role-add --user jon --role project_admin --tenant
> test-group
> >
> > # as user 'jon'
> > keystone --debug --os-tenant-name test-group user-role-add --user
> > jon-test --role _member_ --tenant test-group
> > DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
> > https://keystone:5001/v2.0/tokens
> > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> > DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> > DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915
> > DEBUG:keystoneclient.session:REQ: curl -i -X GET
> > https://keystone:35358/v2.0/users/jon-test -H "User-Agent:
> > python-keystoneclient" -H "X-Auth-Token: <redacted>"
> > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone
> > DEBUG:urllib3.connectionpool:Setting read timeout to 600.0
> > DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131
> > DEBUG:keystoneclient.session:RESP:
> > DEBUG:keystoneclient.session:Request returned failure status: 403
> > You are not authorized to perform the requested action: admin_required
> > (HTTP 403)
> >
> > am I tweaking the wrong rules or is something deeper in my way?
> >
> > Thanks,
> > -Jon
> >
> > _______________________________________________
> > Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150825/cbf5026d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150825/cbf5026d/attachment.gif>

More information about the Openstack mailing list