[Openstack] Role inheritance in keystone
Andrew Bogott
abogott at wikimedia.org
Sun Oct 30 16:38:37 UTC 2016
I've just read
http://developer.openstack.org/api-ref/identity/v3-ext/inherit.html
and I think I understand it, but can't put it into practice. I have a
user with a role on a domain, and a project in that domain, but I see no
evidence that the role assignment is inherited by the project. Am I
missing some extra 'enable inheritance' config? Or does inheritance
explicitly not work for the 'default' project?
I'm running Openstack Liberty; My entire workflow is attached, below.
Hopefully there's an obvious mistake!
Thank you!
-Andrew
$export OS_USERNAME="novaadmin"
$export OS_PROJECT_DOMAIN_ID="default"
$export OS_USER_DOMAIN_ID="default"
$export OS_PASSWORD="<redacted>"
$export OS_AUTH_URL="http://<redacted>:35357/v3"
$export OS_REGION_NAME="codfw"
$export OS_NO_CACHE=1
$export OS_IDENTITY_API_VERSION=3
$ curl $OS_AUTH_URL
{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z",
"media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links":
[{"href": "http://labtestcontrol2001.wikimedia.org:35357/v3/", "rel":
"self"}]}}
$ Conclusion: running keystone api 3.4
$ openstack project show emptytestproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 23c3fe708cb44c4db3144c3763b2c96c |
| is_domain | False |
| name | emptytestproject |
| parent_id | None |
+-------------+----------------------------------+
$ openstack domain list
+---------+---------+---------+----------------------------------------------------------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+----------------------------------------------------------------------+
| default | Default | True | Owns users and tenants (i.e. projects)
available on Identity API v2. |
+---------+---------+---------+----------------------------------------------------------------------+
$ # Conclusion: 'emptytestproject' is in domain 'default.'
$ openstack role assignment list --domain default --user novaadmin
+----------------------------------+-----------+-------+---------+---------+-----------+
| Role | User | Group | Project |
Domain | Inherited |
+----------------------------------+-----------+-------+---------+---------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | |
default | False |
| cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | |
default | False |
+----------------------------------+-----------+-------+---------+---------+-----------+
$ openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 8284c7e1155a464c818cf1eacf008c23 | user |
| 8e86568d85984eda8ff44532f99e9304 | admin |
| cb17fb40e2ef4cdd99956cd771b1799a | projectadmin |
| eb3fb807ab684f3d9fa77eed65bc0817 | glanceadmin |
+----------------------------------+--------------+
$ # Conclusion: user 'novaadmin' has roles 'projectadmin' and 'user' on
domain 'default.'
$ # expected: user 'novaadmin' should have those two inherited roles in
'emptytestproject'
$ openstack role assignment list --project emptytestproject --user novaadmin
$ # nope, no roles.
$ # expected: user 'novaadmin' should be able to list servers in
emptytestproject
$ OS_TENANT_NAME=emptytestproject openstack server list
The request you have made requires authentication. (HTTP 401)
(Request-ID: req-5b173b30-1cdc-4d30-b1d1-41558dd0cd26)
$ # nope!
$ # ==================================================================
$ # policy doublecheck
$ # ==================================================================
$ openstack role assignment list --project labtestproject --user novaadmin
+----------------------------------+-----------+-------+----------------+--------+-----------+
| Role | User | Group | Project
| Domain | Inherited |
+----------------------------------+-----------+-------+----------------+--------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | labtestproject
| | False |
| cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | labtestproject
| | False |
+----------------------------------+-----------+-------+----------------+--------+-----------+
$ OS_TENANT_NAME=labtestproject openstack server list
+--------------------------------------+-------------------+---------+---------------------------------+
| ID | Name | Status |
Networks |
+--------------------------------------+-------------------+---------+---------------------------------+
| dd3dd963-c78f-4c68-801a-6bdada4b2c35 | puppetless | SHUTOFF |
public=10.196.16.71 |
| 12d4fe67-7da2-4c28-8c33-bff64b06bff5 | eightpointfive | SHUTOFF |
public=10.196.16.70 |
| 932b8e24-e3ac-44ed-a0a5-035ab3c69869 | rnds-test-104 | SHUTOFF |
public=10.196.16.40 |
| 991ba7b0-0b1a-4843-ba85-4a5ae5f72ce6 | spice-test-101 | SHUTOFF |
public=10.196.16.17 |
| 93139bfd-51f6-4796-b3ec-0ac971f1d24e | libvirt-test-101 | SHUTOFF |
public=10.196.16.16 |
| 1d28d0e3-8dea-4cce-9bd4-a999a43ebea3 | network-tests-101 | SHUTOFF |
public=10.196.16.2, 10.196.17.1 |
+--------------------------------------+-------------------+---------+---------------------------------+
$ # Yep, policy allows user with projectadmin role to list servers.
More information about the Openstack
mailing list