Heiko -- Guang's response provides the hint that could get you where you want to go -- try using the V3 Identity API rather than the V2 admin API. The V2 admin API essentially ignores policy and only allows admin role. Here's docs on the V3 API: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md. The openstack client may provide a CLI for the commands you want to run.
-- Brant On Fri, Jun 7, 2013 at 3:07 AM, Heiko Krämer <[email protected]> wrote: > Hi Guang, > > thx for your hint but that's not the reason because in your example all > users with the KeystoneAdmin role have the same rights as the admin and > thats useless. > > @Adam so i've no chance to get the policy management working ? I can't say > the KeystoneAdmin role is only allowed to create and delete users and > nothing more ? > I saw instead of the file a mysql base policy management but thers no cli > commands available right ? > > > Thx and Greetings > Heiko > > > On 07.06.2013 07:59, Yee, Guang wrote: > > I think keystone client is still V2 by default, which is enforcing > admin_required. **** > > ** ** > > Try this**** > > ** ** > > "admin_required": [["role:KeystoneAdmin"], ["role:admin"], ["is_admin:1"]], > **** > > ** ** > > ** ** > > Guang**** > > ** ** > > ** ** > > *From:* Openstack [ > mailto:[email protected]<[email protected]>] > *On Behalf Of *Adam Young > *Sent:* Thursday, June 06, 2013 7:28 PM > *To:* Heiko Krämer; openstack > *Subject:* Re: [Openstack] [Keystone] Policy settings not working > correctly**** > > ** ** > > What is the actualy question here? Is it "why is this failing" or "why > was it done that way?" > > > On 06/04/2013 07:47 AM, Heiko Krämer wrote:**** > > Heyho guys :) > > I've a little problem with policy settings in keystone. I've create a new > rule in my policy-file and restarts keystone but keystone i don't have > privileges. **** > > > What is the rule? > > **** > > > Example: > > > keystone user-create --name kadmin --pw lala > keystone user-role-add -- > > keystone role-list --user kadmin --role KeystoneAdmin --tenant admin > > +----------------------------------+----------------------+ > | id | name | > +----------------------------------+----------------------+ > | 3f5c0af585db46aeaec49da28900de28 | KeystoneAdmin | > | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin | > > > cat /etc/keystone/policy.json > > { > "admin_required": [["role:admin"], ["is_admin:1"]], > "owner" : [["user_id:%(user_id)s"]], > "admin_or_owner": [["rule:admin_required"], ["rule:owner"]], > "admin_or_kadmin": [["rule:admin_required"], ["role:KeystoneAdmin"]], > > "default": [["rule:admin_required"]], > [.....] > "identity:list_users": [["rule:admin_or_kadmin"]], > [....] > > <loading kadmin creds> > > keystone user-list > Unable to communicate with identity service: {"error": {"message": "You > are not authorized to perform the requested action: admin_required", > "code": 403, "title": "Not Authorized"}}. (HTTP 403) > > > In log file i see: > DEBUG [keystone.policy.backends.rules] enforce admin_required: > {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id': > u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']} > > > > > Why does keystone enforce *admin_required* rule instead of the defined > rule (*admin_or_kadmin*).**** > > > Historical reasons. We are trying to clean this up. > > > **** > > > > > Keystone conf: > [...] > > # Path to your policy definition containing identity actions > policy_file = policy.json > [..] > [policy] > driver = keystone.policy.backends.rules.Policy > > > > > Any have an idea ? > > Thx and greetings > Heiko > > > > > **** > > _______________________________________________**** > > Mailing list: https://launchpad.net/~openstack**** > > Post to : [email protected]**** > > Unsubscribe : https://launchpad.net/~openstack**** > > More help : https://help.launchpad.net/ListHelp**** > > ** ** > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
